With an ever-increasing number of cybersecurity threats and attacks, companies are becoming motivated to protect their businesses and customer data both technically and financially.
Finding the right insurance has become a key part of the security equation, which is no surprise given that the average cost of a data breach in the US has risen to $9.44 million — more than twice the global average of $4.35 million.
The global cyber insurance market was valued at $13.33 billion in 2022, according to research by Fortune Business Insights, and is expected to grow from $16.66 billion in 2023 to $84.62 billion by 2030.
North America is projected to dominate the market due to increasing cyberattacks, particularly ransomware, and a high risk of data loss, while Europe will also gain a prominent market share, in part because “digitalisation among organisations remains vulnerable to malicious cyberattacks.”
Companies in the US looking to protect themselves have most likely heard the terms “cyber liability insurance” and “data breach insurance.” While they're often used interchangeably and many organisations tend to think they're the same, that's not the case.
Understanding the distinction is important, as cyber insurance is becoming an integral part of the security landscape. Many companies may have no choice but to find insurance as more organisations are requiring that their business partners have cyber coverage.
Many traditional business insurance policies will simply not cover cyber incidents, considering them outside the scope of the agreement, which is why cyber insurance has become a separate form of protection.
It’s also important to note that getting insurance isn’t guaranteed — insurers are increasingly asking for more proof that strong cybersecurity strategies are in place before agreeing to provide coverage. Many companies may have no choice but to meet such terms.
Put simply, cyber liability insurance refers to coverage for third-party claims asserted against a company stemming from a network security event or data breach. Data breach insurance, on the other hand, refers to coverage for first-party losses incurred by the insured organisation that has suffered a loss of data.
Here's a closer look at each:
What is cyber liability insurance?
Cyber liability is defined as the potential for an organisation to cause damage to other organisations or individuals, says Zachary Kaiser, strategic risk advisor at McClone, an independent insurance agency.
“When we talk about liability, we're talking about security liability, for example, transferring malware to another party, and privacy liability, for instance, accidentally disclosing customers’ personally identifiable information,” he says.
Cyber liability insurance provides coverage that helps protect organisations against direct expenses incurred as a result of responding to and recovering from data security incidents and any associated legal costs and liability, says Allen Blount, cyber team leader at Risk Strategies.
For example, a company experiences a cyberattack on its computer systems by hackers that results in the compromise or theft of sensitive customer information.
These customers may choose to file a lawsuit or class action against the company for failing to adequately safeguard their sensitive personal information and expose them to the risk of future harm, including fraud and identity theft, says Anjali Das, partner and co-chair of the national cybersecurity and data privacy practice team at Wilson Elser LLP.
“Cyber liability insurance usually provides coverage for the defense of such third-party claims and lawsuits, including potential damages, judgments, and/or settlements,” she says.
Cyber liability insurance provides both first- and third-party coverage
“But cyber liability insurance can also provide first-party coverage,” says Layna Cook Rush, a shareholder at Baker, Donelson, Bearman, Caldwell Berkowitz PC and the head of the firm's data incident response team.
Cyber liability insurance is aimed at providing comprehensive protection against cyberattacks and typically covers a wide range of cyber incidents, such as ransomware attacks, data theft and extortion, and phishing email scams, Rush says. It provides both first-party and third-party coverage.
First-party coverage insures against financial losses incurred by the company in responding to the incident including investigation of the incident, remediation of affected systems, any required notifications, and the cost of credit monitoring services, according to Rush.
Kiran Boosam, vice president and global insurance industry leader at Capgemini, agreed that cyber liability insurance is usually a comprehensive policy covering the losses or damages for both the organisation that buys the policy and other affected parties, such as individuals or businesses.
A comprehensive cyber liability insurance policy typically covers monetary losses, such as lost revenue and profits, additional costs related to notifying affected customers, recovering the compromised data, and repairing damaged equipment and computers.
It also covers an organisation's legal expenses, such as legal fees, monetary settlements to cover the losses to other affected parties, as well as any punitive damages such as regulatory fines, Boosam says.
“For instance, a malware attack occurs at a bank exposing proprietary data and its customers’ personally identifiable information (PII) data, taking down the bank’s website,” he says.
"A comprehensive cyber liability insurance will not only protect the financial interest of the bank and its clients against the PII data breach, but it will also cover the financial losses and associated costs incurred due to interruption to the bank’s online businesses.”
What is data breach insurance?
Data breach insurance is a subset of cyber liability insurance and protects against only some of the losses associated with a cyber incident, according to Rush. Data breach insurance provides only first-party coverage and not third-party coverage.
“Data breach insurance does not cover third-party claims, such as lawsuits against the company by impacted individuals or third parties or regulatory action by state or federal government agencies,” Rush says. “Cyber liability insurance is generally more comprehensive than data breach insurance because it covers both first-party and third-party liability.”
Data breach coverage refers to first-party losses incurred by the insured company that has experienced a network security event or cyberattack, according to Das.
Such first-party losses may include business interruption losses, legal fees, costs to hire a cybersecurity firm to conduct a forensics investigation of the nature and scope of the incident, and costs incurred to notify affected individuals of the incident if it results in the compromise of their personal information, Das says.
Additional first-party losses that might be covered under a data breach insurance policy include public relations costs or even ransom or extortion payments to cyber criminals.
Jaime Palumbo, vice president of claims at Corvus Insurance, says data breach insurance is not a particular form of insurance, but rather a subset of a comprehensive policy.
A data breach or incident is typically where sensitive or personal information of employees, customers, clients, etc., is accessed or taken from the policyholder without authorisation, she says. In the context of insurance coverage, a cyber policy can provide both first-party and third-party coverage for this type of incident in various ways.
"It generally provides coverage for breach response expenses, which are the costs associated with retaining breach or privacy counsel or a digital forensics vendor to perform a review of the affected systems," Palumbo says.
Also, if the policyholder experiences a period of downtime or system interruption due to the cyber incident, there may be business income loss available, she says. And tying in the liability component, coverage would also exist if the policyholder was served with a lawsuit filed by the individuals whose data was affected in the breach.
Companies should make sure a policy includes the right coverage
Fortunately for those interested in purchasing cyber insurance, the cyber product offering generally comes standard with an array of first-party and third-party coverage to ensure that a policyholder is protected against its own losses as well as the cyber losses of others that it may have caused, Palumbo says.
“However, a company should still remain vigilant when evaluating coverage to ensure that all avenues of risk for their respective industry classes are covered,” she says.
“The company should understand what data it stores, maintains, and collects to appreciate the impact and ramifications of a potential data breach. Knowing the volume and sensitive nature of maintained records can translate to the amount of coverage necessary to cover a loss.”
Rahul Mahna, a partner of outsourced IT services at EisnerAmper, cautions companies to read the fine print to determine the limitations on first-party and third-party coverage.
“Cyber liability and data breach insurance are not substitutes for a robust cybersecurity policy — they are complementary,” Mahna says.
“Any company that gambles on a cheaper, after-the-incident solution, such as insurance, in lieu of the necessary people, training, technology, and processes to prevent incidents from ever happening are playing a dangerous, risky game.”
What is cyber insurance in the UK and Australia?
Things work a little differently in the UK and Australia says Richard Hodson, founder of London-based RC Hodson Insurance Services. In the UK, companies purchase “cyber insurance,” which covers both first- and third-party costs if an organisation's data or systems have been compromised, damaged, lost, or stolen.
In the UK, cyber insurance comes in two parts: cyber liability insurance, which is the same as third-party insurance, and first-party insurance, says Hodson. Cyber insurance helps protect businesses against the financial implications of data breaches, security failures, illegal threats, or cyberattacks.
“We don't use the phrases ‘cyber liability insurance’ and ‘data breach insurance’ in the UK because organisations buy both parts of the cyber insurance policy,” he says.
“Companies buy cyber insurance because it covers their own losses for the costs of the investigation and bringing in the forensic people to determine what happened in the event of a breach and any fines for its own losses, for example, as well as the losses suffered by third-parties.”
"So, the way we sell cyber insurance is very different and the same is true in Australia as well,” Hodson says. “The Australians follow the UK model.”
The National Cyber Security Centre in the UK offers some advice that applies to companies in the US as well as the UK. “Cyber insurance will not instantly solve all of your cybersecurity issues, and it will not prevent a cyber breach/attack,” according to the organisation.
“Just as homeowners with household insurance are expected to have adequate security measures in place, organisations must continue to put measures in place to protect what they care about.”