Understanding Data Breach & Cyber Liability Insurance

The average global cost of a data breach increased by 15% in a three-year period, reaching $4.45 million in 2023. As a result, insurance agents need to become more familiar with data breach and cyber liability insurance policies for their clients. To help you identify opportunities to recommend this type of insurance, here we look at their differences, costs, and the types of clients that need them.

Difference Between Cyber Liability and Data Breach Insurance

When deciding whether cyber liability or data breach insurance is right for your clients, consider the following differences:

• Cyber liability offers full coverage for both first-party losses related to recovery and management and third-party losses to cover legal fees and regulatory fines, while data breach insurance only covers first-party losses.
• Cyber liability insurance is recommended for clients at risk of events that affect their equipment and will likely lead to costly business disruptions, while data breach insurance is best for clients at higher risk of breaches that involve unauthorized access to sensitive information.

What is Cyber Liability Insurance?

Cyber liability insurance provides the following coverage:

First-party coverage

First-party coverage includes the following costs for the insured:

• Event investigation
• Repairs to damaged or lost equipment
• Lost revenue
• Public notification costs
• Credit monitoring

Third-party coverage

Third-party cyber liability helps pay for lawsuits caused by data breaches on a client's network or systems. It also covers any fines incurred due to regulatory non-compliance if your client, the insured, failed to protect their data.

The types of events cyber liability insurance covers include data breaches, cyber extortion, business interruption due to hackers, etc. but does not include theft of company files.

While clients might believe they can save on premiums by using professional liability insurance to cover their cyber liability claims, overall, standalone cyber liability policies are much more affordable. Your clients are also at risk of using up their liability insurance to cover a cyber event. As a result, they won’t have sufficient coverage if they face a professional liability lawsuit.

What is Data Breach Insurance?

Data breach coverage focuses on managing the aftermath of a breach such as notifying the affected parties, credit monitoring, event investigation, etc. and does not cover fines and legal costs. It also covers both cyber data breaches and theft of physical company documents such as patient records, legal files, etc.

An important thing to keep in mind is that most Errors & Omissions (E&O) policies now include a form of basic data breach coverage due to data breach notification laws. However, it’s important to consider the risks, type, and size of the organization to ensure your clients have appropriate coverage.

First Party vs. Third Party Coverage with Data Breach Insurance

Data breach insurance primarily covers first-party costs, helping businesses manage immediate financial impacts such as notification expenses, credit monitoring services, forensic investigations, public relations efforts, and data restoration. However, some policies may also offer limited third-party coverage, including legal defense costs, settlements, judgments, and regulatory fines and penalties. 

For comprehensive protection, businesses often need both data breach insurance for specific breach-related expenses and broader cyber liability insurance to cover a wider range of third-party liabilities and cyber risks.

Understanding First Party vs. Third Party Cyber Liability Insurance

Having both first-party and third-party cyber liability insurance is crucial for comprehensive protection against cyber threats. First-party coverage ensures that businesses can recover quickly from the direct financial impacts of a cyber incident, minimizing disruption to their operations. Third-party coverage, on the other hand, shields businesses from the potentially crippling legal and financial consequences of claims made by external parties. Together, these coverages provide a robust defense against the myriad risks associated with cyber incidents, ensuring that businesses are well-equipped to handle both immediate and long-term impacts.

First-Party Cyber Liability Insurance

First-party cyber liability insurance is designed to help the insured entity recover from the immediate financial impact of a cyber attack. Coverage typically includes:

• Data Breach Response Costs: Expenses related to notifying affected parties, providing credit monitoring services, and conducting forensic investigations to determine the cause and extent of the breach.
• Business Interruption Losses: Compensation for lost income and extra expenses incurred while the business operations are disrupted due to a cyber incident.
• Cyber Extortion: Coverage for ransom payments and associated costs if the business falls victim to ransomware or other forms of cyber extortion.
• Data Restoration: Costs to restore, recover, or replace data that has been compromised or destroyed.

Third-Party Cyber Liability Insurance

Third-party cyber liability insurance helps protect the business from the legal and financial repercussions of such claims. Coverage typically includes:

• Legal Defense Costs: Expenses for defending the business against lawsuits and regulatory investigations stemming from a cyber incident.
• Settlements and Judgments: Payments for settlements or court-ordered judgments if the business is found liable for damages to third parties.
• Regulatory Fines and Penalties: Coverage for fines and penalties imposed by regulatory bodies due to non-compliance with data protection laws and regulations.
• Privacy Liability: Claims related to the unauthorized disclosure of personal or sensitive information belonging to customers, clients, or employees.

What Types of Clients or Industries Need Data Breach Insurance?

There are three categories of organizations that would benefit from data breach coverage:

1. Companies that store financial/government customer information such as credit card/bank account numbers, Social Security numbers, loyalty program numbers, etc.
2. Companies that handle personal health information
3. IT or technology related businesses, especially those offering web hosting or data storage of customer/proprietary information

You can identify clients at high risk and most likely to need data breach insurance based on the following questions:

Is their industry highly targeted?

Based on our list above, the following industries are at the highest risk:

• Retail, consumer service, and financial service industries that store and manage transaction data, financial accounts, and employee records.
• Healthcare and insurance industries storing and managing sensitive personal information.
• Government agencies at all levels store and manage sensitive financial information as well as social security numbers.

Is the data used in the industry considered high value?

Cyber-attacks tend to target higher value data sought by criminals looking for opportunities to commit financial fraud, including:

• Customer financial data
• Employee records
• Confidential client information
• Property ownership data and titles

However, client and proprietary business data are also valuable for industrial espionage.

Who has access to the network?

Networks that allow user access are far riskier than those that only allow internal access.

What is the client’s security budget?

Businesses with lower security budgets will be more likely to experience higher losses related to breaches and environmental events.

How stable is the business?

The average small business can be damaged so badly they often go out of business within six months of a cyber-attack.

How Much Does a Data Breach Cost?

In February 2024, British medical imaging, and health services company Change Healthcare experienced an extensive ransomware attack that caused ongoing network interruptions. The company is rumored to have paid a $22 million ransom, which does not include other costs such as the forensic investigation, legal fees, regulatory fines, etc. The average for these additional costs in 2023 included:

• Incident response and recovery: $1.58 million
• Post-breach response costs: $1.2 million
• Personally identifiable information (PII) costs: $183 per record stolen
• Lost business and reputation damage: $1.3 million

Detection, escalation-related costs, and ransom demands vary based on the industry, scope of the incident and value of the data compromised during the incident. Noncompliance penalties are impacted by multiple factors such as data type, scope of the breach, location, response, etc. Here are examples of the top privacy violation fines in the past five years:

• Facebook: $5 billion
• Didi Global: $1.2 billion
• Amazon: $886 million
• Equifax: $700 million
• Epic Games: $520 million
• T-Mobile: $500 million
• Home Depot: $200+ million
• Capital One: $190 million
• Google: $170 million
• Twitter: $150 million
• Morgan Stanley: $155 million (total)
• Zoom: $85 million
• Capital One: $80 million
• Anthem: $39.5 million
• Yahoo!: $35 million
• TikTok: $5.7 million
• Zoetop: $1.9 million
• Sephora: $1.2 million
• CafePress: $500,000

What’s Not Covered by Cyber Liability or Data Breach Coverage?

It’s essential to review policy exclusions and limitations with clients to ensure they understand what is and isn’t covered. Common limitations and exclusions include:

• Limited business interruption coverage based on the incident and type of disruption
• Gradual data breaches that take place over an extended period
• Delays in discovering an incident
• Intentional acts considered fraudulent claims
• Vulnerabilities due to inadequate security and precautions
• Regulatory non-compliance

By addressing these gaps in your insureds policies, you can provide the best possible coverage for each client.

With data breaches costing victims an average of $4.45 million, advising clients to consider data breach or cyber liability insurance will protect them against this increasing risk. Pointing out gaps in their professional liability/errors and omissions policy will help them recognize the need for this additional coverage.   

When your clients require specialty insurance policies for their businesses, Novatae has the experience to provide customized solutions suited to their needs. Contact Novatae for more information.

This article is not intended to be exhaustive, nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice.