What cyber liability limit does a CRO need?

CRO cyber liability is sized on the basis of the largest sponsor dataset under management - subject count, PHI sensitivity, and regulatory framework - not on CRO headcount or revenue. A CRO supporting a 2,000-subject Phase 3 trial with EU sites faces breach exposure proportional to the subject count and the regulatory framework (HIPAA in the US, GDPR in the EU), not to the CRO's 50 employees.

Typical cyber liability placements for clinical CROs: $5 million for early-stage CROs supporting Phase 1 studies, $10 million for mid-stage clinical CROs handling Phase 2 multi-site work, $25 million or higher for late-stage public-sponsor CROs handling Phase 3 oncology trials with EU sites. Pre-clinical CROs (bioanalytical, toxicology) generally place lower because the data set is animal subject data, not human PHI.

The coverage components that drive sponsor MSA compliance are breach response, regulatory defense under HIPAA/GDPR, business interruption from system compromise, and contingent cyber for vendor failures (eTMF host, EDC vendor, central lab). Sponsor MSAs increasingly require explicit contingent cyber coverage because CRO vendor stack vulnerabilities are the most common breach vector.