First- vs. Third-Party Cyber Coverage

Last year marked the second-highest record for business data breaches: 781.

As cyber risks continue to evolve and insurance providers work to reduce exposure for commercial clients, confusion persists regarding first- versus third-party cyber insurance coverage. To provide the most comprehensive coverage possible, you need to understand the value of both.

Some insurance carriers focus on selling first-party cyber coverage. But for many companies—particularly tech companies that deal with other businesses—third-party cyber coverage is often much more important.

Consider a software vendor that designs a program to help sales firms pay their independent contractors. The software utilizes and stores names, social security numbers and other personal information for more than 1 million contractors on its servers. Then, that information suffers a data breach.

In this case, first-party coverage would not protect the software vendor since the vendor does not “own” the information—it belongs to the customer. Third-party coverage, however, would provide important protection for potential liability associated with this breach, including the costs the customer incurs for notifying the potentially affected parties.

For small to midsize technology companies, the uncovered losses could be significant. The third-party exposure—the extent of the customer’s personal information—is often an order of magnitude greater than the first-party exposure, which typically includes past and present employees. What confuses insureds is that the first-party exposure of their customers could be their own third-party exposure.

The bottom line for agents: Ask each and every customer how much personal information they own, and inquire about the breadth of customer information they access. Understanding these simple questions can help agents more appropriately determine the cyber coverage and limit needs of current or prospective insureds.

Toby Levy is vice president of technology insurance at The Hanover Insurance Group.

Cyber Dictionary

First-party cyber coverage: protection for the data you own, such as information that pertains to your customers or employees

Third-party cyber coverage: provides protection for liability associated with your customers’ data, among other things

Privacy breach: an incident that results from failure to protect private, personally identifiable information

Security breach: an incident that bypasses security systems to result in unauthorized access or release of sensitive or confidential data

Electronic media breach: infringement of a service mark or trademark —T.L.