Cyberinsurance policies typically provide first and third party coverage. First party coverage relates to an insured’s own expenses in investigating and remediating a data breach, and recovering the insured’s data and other information assets. Third party coverage kicks in when customers and regulators seek to hold the insured accountable for the breach.
But we know this already, right?
We also know that underwriters started with commercial general liability (CGL) forms when they started writing cyber policies because, well, it was the closest thing they had on file and nobody likes to start from scratch. I’ve previously discussed how this has led to some CGL provisions spilling into cyber policies even though they really don’t belong. The contractual liability exclusion, the acts of war/terror exclusions, etc.