Cyber Series: Why "Cyber Liability" is a Misnomer

Cyber Series: Why "Cyber Liability" is a Misnomer

May 10, 2022

Many insurance agents and brokers commonly refer to cyber insurance as "Cyber Liability". While cyber insurance policies do cover third-party liability claims, this common misnomer fails to capture the big picture and true value a cyber insurance policy can deliver.

Historically, cyber claims were characterized as low-frequency, high-severity, and malicious actors primarily targeted large organizations. The earliest cyber policies in the 1990s excluded first-party coverages and dealt primarily with lawsuits arising out of alleged privacy infringement and the improper use of online media. Today, both cyber incident frequency and severity are increasing rapidly, and over 60% of all cyber incidents target small businesses. The reasons for these ominous trends are plentiful, such as the shift to remote work and the proliferation of Ransomware as a Service (Raas), which makes deploying ransomware so incredibly easy that internet-savvy, pubescent kids can do it (and they do).

Cyber "liability" gives the impression that a cyber policy's chief benefit is its defense coverage if the policyholder is sued for leaking its customers' or vendors' data. The reality is that the vast bulk of cyber incident losses fall under first-party expenses - the expenses a business incurs to address a breach or disruption. The cost breakdowns in the images below were generated using Chubb Insurance Company's public Cyber Index, a website Chubb uses to publish the claims data it is has been gathering since 2009. 

Third-Party liability costs account for only 6.3% of Total Claims Costs for organizations under $25M in revenue, across all industries. It should be clear then that a cyber policy's true benefit is its funding of all those services required to mitigate the damage of a breach or disruption. 

The cost of hiring attorneys to help navigate an incident in accordance with local and federal regulations, the IT forensic specialists required to investigate the scope of a breach, the victim notification call centers, PR experts, etc. The Incident Response and Cyber Crime coverages typically deliver the most value to policyholders, because they are the most commonly activated when an incident occurs. Without a cyber policy in place, a business will likely be stuck paying all of these costs out-of-pocket - and they're not insignificant, as evidenced by the image below.

This graph examines the average paid incident response costs for organizations under $25M in revenue across the last five years. The average cost of a call center to notify potentially affected individuals following a breach is $186,047, and the average total cost of these incident response services together adds up to $349,833. It should be noted that these costs do not account for any ransom payments or lawsuits following a breach, for which coverage can be added to the policy. 

Yes, cyber insurance covers third-party suits, but referring to it as "cyber liability" misses the mark when it comes to communicating its true value to clients. 

About the Author: Evan is currently serving as Insurance Advisors' Vice President of Commercial Insurance, with specialties in Cyber Insurance and Employee Benefits strategy. Evan obtained the Certified Cyber Risk Manager (CYRM) designation in 2020 and has found a passion in helping his clients mitigate this rapidly evolving threat through both insurance solutions and cyber security tools. For more information regarding cyber insurance, email inquiries to or dial 248-363-5746 ext. 115.