One of the important concepts about which people must be aware when evaluating their cybersecurity postures and related liabilities, but which, for some reason, many folks seem to be unaware, is the difference between first-party risks and third-party risks. Understanding the difference between the two is also essential when seeking to obtain – and when acquiring – cyber-liability insurance.
First-Party Risks And Coverage
First-party cyber-liability risks refer to risks that directly endanger an organization. If your business cannot operate for three days because it is hit with a malware infection, for example, the three days of downtime inflicted by the cyberattack is first-party damage to your business. Likewise, if you purchase appropriate first-party insurance, your insurance policy should cover the relevant losses – as the losses are borne directly by the policyholder (your business).
First-party insurance, therefore, typically covers the costs of actions needed after a data breach, extortion, ransomware attack, or other hacker malfeasance. Policies often pay for remediation, forensic investigations, restoration, and, to some level, efforts to mitigate reputational damage (for example, by covering, at least in part, the costs of hiring a public relations / crisis communications firm). First-party insurers may also pay ransomware ransoms, for the costs of notifying customers of a data breach, and for lost business during incident-related downtime.
In short, from the perspective of a business owner or operator, first-party cyber-liability insurance covers costs related to data breaches that you suffer to your own information and information system infrastructure.
Third-Party Risks And Coverage
Third-party cyber-liability risks refer to the risks of third parties claiming that your business is liable to them for damage that they suffered as a result of either your having suffered a cybersecurity incident or their having suffered a cybersecurity incident.
In many cases, third party insurance coverage is utilized to protect organizations who bear at least some level of responsibility for securing other parties’ data. Third-party insurance policies may include coverage, therefore, for the costs of defending lawsuits from parties who claim that their data was compromised as a result of your business’s failure to properly protect it, as well as the costs of court verdicts or settlements resulting from such lawsuits. Such insurance can also protect parties accused of having enabled through negligence the launching of cyber attacks against others – for example, such insurance may cover defense litigation and settlement costs if an organization that was breached through the exploitation of login credentials given to an insured third party sues that third party for failing to properly protect the credentials.
In short, from the perspective of a business owner or operator, third-party cyber-liability insurance covers the costs of dealing with the claims of other parties that seek to hold you at least partially responsible for damages that they have incurred as a result of a cyber incident.
Interestingly, sometimes, the line between first-party damage and third-party damage can become blurred – especially if a business and its client have both been breached, and forensic analysis cannot conclusively establish either the sequence of events leading up to the breach and/or how the breach occurred.
Which Do You Need?
Ideally, every organization should have some degree of both first-party and third-party coverage. The need for both types of protection is obvious when it comes to businesses that house other parties’ data – a managed service provider (MSP), for example, faces obvious exposure to many accusations and lawsuits in the in the event of a compromise or data breach impacting its clients’ data. But, even other types of firms should consider third-party coverage – everyone faces risks of inadvertently forwarding a malware-infected email message that subsequently wreaks havoc after being opened by a recipient, for example, or of their computers and networks being breached and subsequently exploited by hackers to serve as launching pads from which to target others.
This article is sponsored by iBynd which enables MSP’s, Cybersecurity companies, Cloud providers and other technology and Financial Service companies to seamlessly integrate a Cyber Liability Insurance product offering to their Small and Medium sized business customers. iBynd also has a first-of-its-kind Personal Cyber Insurance offering that it delivers directly to consumers through CyberInsurancePlus.com.