Types of data-breach coverage

Coverage for data breaches is typically divided into first-party and third-party coverage.

First-party cyber liability coverage pays for expenses related to a data breach that directly affects your company, including:

  • Business interruptions. The insurance pays the expenses and potential lost income if you need to temporarily shut down your business because of a data breach.
  • Forensics and mitigation. The insurance pays to find the cause of the breach and make any repairs or updates to your systems.
  • Data recovery.  The insurance pays to recover any data lost during the breach.
  • Brand reputation. The insurance pays for expenses such as hiring a public relations firm to help repair your company’s reputation after a breach.
  • Credit monitoring. Pays for services to monitor the credit of your company and clients, vendors and contractors.

Third-party cyber liability coverage refers to coverage for third parties impacted by the data breach. Examples include:

  • Coverage against lawsuits brought by clients, contractors or vendors whose data was compromised by the data breach.
  • Settlement fees.
  • Damages ordered by the court. 

What is not covered by data breach insurance coverage?

Like all types of insurance, data breach insurance doesn’t cover everything. Here are some of the more common exclusions:

  • Information stored with third parties. For example, if data stored with one of your vendors is compromised by a data breach of their systems, your data breach insurance probably won’t cover you. However, their data breach or cyber liability policy may. 
  • Acts of war. This would apply if the data breach is caused by state-sponsored hackers.
  • Negligence. Failing to maintain your systems by updating software or implementing security patches could result in your claim being denied.
  • Social engineering. While data breaches that are the result of phishing are typically covered, other breaches that result from social engineering, where the scammer manipulates the victim into divulging confidential information, may not be.
  • Employees. If the data breach is caused by employee malfeasance it will typically not be covered.
  • Company devaluation and future profits. While most policies include some form of business interruption coverage, many won’t protect you if the data breach causes a devaluation of your company or results in a decrease in revenue.

Speak with your insurance agent or broker so you have a clear understanding of what is and isn’t covered by your policy. 

Why is data breach coverage important for small businesses?

IBM’s latest data on the cost of a data breach showed that the average corporate loss from a data breach rose approximately 10% from the previous year to $4.88 million.

The report also stated that of the companies that had suffered a data breach, three-quarters said it took 100 days to fully recover while almost a third required more than 150 days.

According to the FBI’s Internet Crime Report, the number of cybercrime complaints over the past five years rose from 467,361 in 2019 to more than 880,000 in 2023. 

The importance of data breach insurance grows with the increase in incidents and their costs. 

Who needs data breach insurance coverage?

Any small business that stores personally identifiable information (PII) should consider data breach insurance. PII includes names, addresses, payment information and Social Security numbers.

Data breach coverage makes even more sense if you collect or store protected health information. HIPAA fines can range from $100 to $50,000 per violation. 

You may also want to consider data breach insurance coverage if you’re in finance or IT. Munich Re’s “Cyber Insurance Risks and Trends 2024” shows finance, IT and health care as the top three industries filing privacy claims followed by business and professional services, retail and manufacturing. 

Data breach insurance companies 

Some of the largest insurance companies in the cyber liability and data breach coverage space, according to the National Association of Insurance Commissioners, include:

  • American International Group (AIG)
  • Berkshire Hathaway
  • Chubb
  • Liberty Mutual
  • Nationwide

Some of these companies offer data breach coverage as part of a cyber liability policy and as separate data breach insurance policies.

How much does data breach insurance cost?

A number of factors determine the cost of data breach coverage. One of the first is whether it is a rider for another policy (such as a general liability policy), a stand-alone policy or bundled with other policies. Insureon, a small business insurance broker, says a standalone policy runs about $145 a month and a data breach rider costs small businesses an average of $42 per month. 

A data breach rider could be added to general liability, tech errors and omissions (E&O) and other insurance policies. 

But various factors can increase the price of a policy, including:

  • Coverage limits. Higher coverage limits are more expensive. 
  • The size of your company. Larger companies usually require more coverage.
  • The amount and type of data you collect and store. If you collect and store large amounts of data, especially sensitive data such as PHI, you’ll want a good amount of coverage.

Talk with your agent or insurance company for a better understanding of the factors that will determine your premiums. 

How to prevent your business from suffering a data breach

There are ways to reduce the threat of a data breach, including:

  1. Having a clear understanding of what data is being stored and where. When you know what information is being stored and where you can create a security plan tailored to your needs. For example, if you have PHI on one computer you can decide who has access to it, whether it is connected to the internet, and how to secure it.
  2. Limiting access to data. Chances are that not everyone in your company needs access to all of your data. By limiting access to only those who need it you help limit potential vulnerabilities.
  3. Training your employees. Train your employees to understand your security protocols and the ways to avoid falling victim to scams like phishing emails and other forms of social engineering.
  4. Utilizing basic security protocols. Some basic security steps include individual employee passwords, requiring multi-factor authentication, setting up your network so that it doesn’t broadcast the network name and changing the default password on your router.
  5. Maintaining your system security. This involves staying current with system updates and security patches. Not only does this keep your security up-to-date with current threats, but some cyber liability policies won’t cover a claim if it believes your company was negligent in some way, including if the data breach exploited a known vulnerability that you didn’t patch.

Some insurers may audit your system and its security before issuing a cyber liability or data breach policy. After doing so, they may recommend additional steps to lock down your data further. 

Data breach insurance: FAQs

What should you do after a data breach?

  1. Prevent further damage. The Federal Trade Commission’s recommended first step in responding to a data breach is to prevent further loss of data by patching the vulnerabilities that caused the breach. This step includes contacting a data forensics expert to help identify the cause of the breach. Some insurance companies may be able to help you locate an expert. 
  2. Activate your team. In many cases, you won’t be able to respond to a breach on your own and will need a team of experts to assist you. This could include tech experts to help secure your system and prevent further breaches and working with a lawyer to help you meet any state or federal data breach requirements, which is especially important if personal health information has been compromised. 
  3. Contact your insurance company. 
  4. Notify law enforcement. Your lawyer can help you identify which agencies and law enforcement organizations need to be notified. 
  5. Notify those affected by the breach. Your legal counsel also can help you understand any requirements, such as timelines, for notifying those affected by your data breach. They may even be able to help you set up services for credit and identity theft monitoring and other services.

Having a plan and team identified and in place ahead of time can increase the speed at which you can react to a breach and mitigate further damage. It can also lessen the stress of putting one together in the heat of the moment. 

Insurance companies, cyber security specialists and lawyers with a specialty in cyber attacks, privacy, or data breaches can help you put together a plan that fits your company’s specific needs.

Are all types of data breaches covered?

Whether a data breach is covered may depend on who or what caused it. As listed above, breaches caused by employee malfeasance or nation-states typically won’t be covered. The same holds true for breaches caused by social engineering.

If the data is stored by a third party, such as a data center, your policy may not cover that either.