Cyber Liability/Data Breach

What are Data Breach and Cyber Liability Coverages?

A data breach is an incident in which unauthorized individuals gain access to sensitive, protected, or confidential data. Today more than ever, all companies are at risk for data breaches. Whether your business is large or small, hackers are targeting everyone.

"Data is one of the most valuable assets your company has — and one of the most vulnerable. Increasingly, hackers and malicious threats are targeting smaller businesses because they think they aren't paying attention. It is crucial to have plans in place to keep your data safe at every touch point, protect your systems, monitor for intrusions and be ready to mitigate a breach." — Eric Cernak, vice president of cyber practice at The Hanover

Not sure if you could be a potential target? Ask yourself:

Do I store, own, or have access to data?
What kind of data is it?
How many data records do I have?

Without the right protection, the negative impact of a data breach incident can be extremely costly:

25,575 records – average size of a data breach
$242 – cost per lost record
245 days – amount of time to identify and contain a breach

What type of data is at risk?

Data breaches often fall into one of two categories:

Personal information − such as names, emails, date of birth, street addresses, social security numbers, or phone numbers.
Financial information − data from business transactions including credit card or bank account information.
If you store either (or both) of these types of data or transact business electronically, you are at risk.

Have you considered what can happen?

What if...

An employee loses a laptop, thumb drive, or cell phone with sensitive information?
An employee steals information and uses it fraudulently?
Files, invoices, other client paperwork is improperly discarded?
A hard drive is not wiped clean before discarded?
A credit card system is compromised?
A firewall fails and hackers access sensitive information?
Your data is held for ransom?

All of these could happen to you at any time. If it did, would you be prepared?

Cyber Liability Coverage

This tailored coverage will offer businesses protection from threats posed by cyberattacks and data breaches. These losses include things like losses to a company's finances, reputation, and operational capabilities.

Data breach coverage will help protect your business from the direct costs when a data breach occurs. These costs include things like notifying clients that an incident has occurred, credit monitoring for all those affected, cyber investigation, and public relations expenses.

Cyber liability coverage will help protect your business from the costs associated with a lawsuit against your business — for example, clients alleging financial damage as a result of a data breach.

Coverage highlights include:

Privacy and security liability for third-party claims arising out of a privacy breach or security breach, including loss or theft of private personal data or failure of your client's system
Cyber media liability for third-party claims arising out of an electronic media breach such as infringement, trademark, plagiarism, invasion of privacy, defamation, libel and slander resulting from cyber content

Cyber privacy and security coverage combines protection for expenses that businesses pay in an effort to manage the fallout from a data breach with coverage for costs that stem from a lawsuit against a business.

Cyber Liability FAQ

Expand all

What is cyber liability insurance and do I really need it?

Cyber liability insurance protects your business from the financial fallout of data breaches, hacking, ransomware attacks, and other cyber incidents. It covers both your direct costs (first- party) and your legal liability to others (third-party) — from forensic investigations and customer notification to defense costs and regulatory fines. If your business stores any customer data — names, emails, payment info, health records — you almost certainly need it. Most states legally require breach notification, which alone can cost tens of thousands of dollars. Importantly, your general liability policy almost never covers cyber incidents; that coverage is specifically excluded.

What's the difference between first-party and third-party cyber coverage?

First-party coverage pays for costs your business incurs directly after a cyber incident: • Forensic IT investigation • Data recovery and system restoration • Customer notification expenses • Credit monitoring services • Public relations and crisis management • Ransomware payments and negotiation costs • Business interruption losses Third-party coverage protects you when a customer, partner, or client sues you because your breach affected them — covering legal defense costs, settlements, and regulatory penalties.

What does cyber liability insurance actually cover?

Most comprehensive policies from carriers like Chubb, Travelers, and The Hartford cover: • Data breaches and unauthorized access to sensitive data • Ransomware attacks — ransom payments and negotiation expenses • Business interruption losses while systems are down • Legal defense costs and settlement payments • Regulatory fines and penalties (where legally insurable) • Customer notification and credit monitoring costs • Digital data recovery and restoration • Social engineering and phishing-related fraud • PR and crisis communications costs • Network extortion threats

What is NOT covered by cyber liability insurance?

Common exclusions to watch for: • Loss of intellectual property • Direct physical bodily injury or tangible property damage (unless "bricking" coverage is added) • Losses from prior known incidents or acts before policy inception • Incidents caused by failure to maintain basic security standards • Acts of war (some policies classify sophisticated nation-state attacks here) • PCI fines and assessments (may require a separate endorsement) • Direct theft of money or property • Infrastructure failure unrelated to a cyberattack Always read exclusion language carefully — what seems like a data breach may be re- characterized to trigger an exclusion. Legal advice before purchasing is recommended.

Does my general liability policy cover cyber incidents?

No — not typically. General liability policies cover bodily injury and tangible property damage, but cyber incidents are almost always excluded. Electronic data damage, digital asset losses, and breach-related liabilities are specifically carved out of standard GL policies. Some businesses add cyber endorsements to existing GL policies, but these tend to have very low limits (often capped at $50,000), limited ransomware coverage, and sub-limits that fall far short of actual breach costs. A standalone cyber policy provides dramatically broader and more reliable protection.

Does cyber insurance cover employee mistakes and phishing attacks?

Yes, in most cases. Most policies cover breaches caused by employee mistakes such as falling for phishing scams, accidentally leaking data, or clicking on malware-infected email attachments. Human error is actually the cause of approximately 95% of cyber incidents, so this is a critical piece of coverage. However, be aware that some policies include exclusions or sub-limits for "social engineering" attacks — where employees are manipulated into transferring funds or revealing credentials. Confirm this is explicitly covered in your policy, as it is one of the fastest-growing attack vectors.

How much does cyber liability insurance cost?

Costs vary widely based on business size, industry, and security posture. Current benchmarks: • Small business median: approximately $134/month ($1,609/year) • Typical annual range: $1,200 to $7,000 per year • 38% of businesses pay under $100/month • Average deductible: $2,500 on a $1 million policy • Policy limits typically range from $1 million to $5 million After sharp premium increases in 2022 (nearly 80% in one quarter), prices have stabilized. Companies with strong cybersecurity controls — particularly multi-factor authentication — tend to see the most favorable rates.

What factors affect my cyber insurance premium?

Underwriters evaluate several key factors when pricing your policy: • Industry — healthcare, finance, manufacturing, and education face higher premiums due to elevated targeting and regulatory exposure • Revenue and business size — larger companies with more data carry higher risk • Volume and type of sensitive data — PII, health records, and payment card data all increase risk • Security controls — MFA adoption, endpoint detection, encrypted backups, and employee training • Prior incidents or claims history • Policy limits and deductible chosen • Vendor and third-party access to your systems

Is cyber insurance worth the cost?

Almost certainly yes. The numbers make a compelling case: the average cost of a single data breach for U.S. companies reached $4.4 million in 2024. Even a minor incident can cost a small business $200,000 or more — enough to force closure. In fact, 60% of small businesses that experience a cyberattack close within six months. A policy costing $1,200–$2,000 per year provides protection worth many multiples of that amount. Beyond the financial coverage, most carriers also provide access to breach response teams, legal counsel, forensic investigators, and PR consultants — resources small businesses could not otherwise afford quickly.

How do I file a cyber insurance claim?

Contact your insurance carrier immediately — most have 24/7 incident hotlines. Time matters because delays can complicate coverage. You will generally need to provide: • A description of the incident and when you discovered it • Evidence of the breach or attack (logs, ransom notes, screenshots, etc.) • An estimate of affected records or systems • Steps already taken to contain the incident Most carriers — including Chubb and Travelers — deploy a breach response team that coordinates forensic investigators, legal counsel, and notification services on your behalf. Important: do not pay a ransom or make public statements before consulting your insurer, as this can affect coverage.

How quickly can I get coverage?

For smaller businesses with straightforward risk profiles, some insurers can issue coverage within 24 hours through online applications. Larger or higher-risk businesses typically complete a more detailed underwriting questionnaire and may wait several days to a few weeks for a quote and policy issuance. To speed up the process, have the following ready: your revenue and number of employees, types of data you store, current security controls (especially MFA), and any prior claims history.

What security controls do insurers require?

Insurers have significantly tightened requirements in recent years. Core controls most underwriters now evaluate or require: • Multi-factor authentication (MFA) — now considered table stakes; without it, many insurers will decline or heavily surcharge • Endpoint detection and response (EDR) • Regular offsite/encrypted data backups • Privileged access management • Employee security awareness training • A documented incident response plan • Email filtering and anti-phishing controls • Patch management processes Meeting these requirements not only helps you qualify for coverage — it can earn meaningful premium discounts and improve your overall security posture.

How much coverage do I actually need?

Coverage limits typically range from $1 million to $5 million per occurrence. To determine the right amount, consider: • How many customer or employee records you store • Your industry's average breach cost and regulatory penalty exposure • Whether you are subject to HIPAA, CCPA, GDPR, or PCI DSS requirements • Your annual revenue and ability to absorb an out-of-pocket loss • Third-party contract requirements — many enterprise clients now mandate minimum cyber coverage limits A $1 million policy is a common starting point for small businesses, but note that many businesses find their limits cover less than 10% of what a serious attack actually costs. Work with an experienced broker to model your specific exposure and select appropriate limits.

This FAQ is for informational purposes only and does not constitute legal or insurance advice. Coverage terms, exclusions, and availability vary by insurer and state. Consult a licensed insurance professional at The Firebird Agency for guidance specific to your situation.