First Party vs. Third Party Cyber Liability Insurance

For those of us who are not insurance experts, the distinction may not be obvious.  As explained in more detail here, the difference is in who experiences the loss.

First party coverage covers damage to your business such as costs of notifying customers, purchasing credit monitoring services, repairing reputational damage or paying a cyber extortionist.

Third party coverage covers things like costs related to the theft, misuse or disclosure of other people’s information (customers, for example) that is stored on your network or infringement of the right to privacy, among others.  Third party coverage is more common.

This article discusses some of the myths surrounding first party coverage.

Another article, “Sizing Up Cyber Risks After The Sony Breach” says that DHS reported, after a late 2012 cyber security insurance workshop, that first party coverage is “expensive, rare and largely unattractive”.

Some people thought that their general commercial liability coverage (GCL) included cyber risks.  Some used to years ago, but very few do today as many breach victims have discovered after the fact.

The important point here is that cyber liability policies do not have standard state mandated language, so it is important, as part of your business risk analysis process to document what risks you want to be covered for and then validate that the coverage you currently have or are planning to buy provides you with the coverage you need.  To do this effectively you need to estimate your costs from a cyber breach in each and every category so that you can figure out what you can and are willing to absorb internally vs. getting help from your insurance carrier to cover.  Unfortunately, this is neither a simple nor exact process.

Parting thought — you cannot do this review after you are the victim of a cyber breach.  Even though everyone hopes it is going to happen to the other guy, that is not always the case.  Although Target, Home Depot and Sony get the press coverage, the breach that hit the Jimmy Johns sandwich chain this year, for example, also hit hundreds of mom and pop pizza and sub shops.