Cyber Insurance Guide | Zaviant

It goes without saying, robust cybersecurity and data privacy measures are a necessity for doing business in this day and age. Without either, an organization’s defenses are left to luck and hope – maybe an adversary will never take notice of the wide-open gaps in your network? (The odds are not in your favor).

The unfortunate reality is that the majority of organizations – regardless of their size or industry – will experience a cyberattack. While cybersecurity and data privacy measures help limit the depth and breadth of the incursion, they are only part of a larger strategy to mitigate the effects of an attack. 

The fallout of a network infiltration is rarely a non-event. In many cases, it takes a concerted effort over months and a significant investment to recover from an attack.  Cyber insurance helps an organization meet the challenges of returning to pre-attack operations without going bankrupt.

Cyber liability insurance costs

It also serves as a means to make sure an organization’s cybersecurity and data privacy measures are meeting base-level standards and best practices. 

Obtaining cyber insurance is not a simple process. This should come as no surprise – while insurance is designed in part to mitigate an organization’s risk, insurers are not looking to assume unnecessary risk in providing coverage. In other words, the last thing an insurance provider wants to do is provide protection to an organization with inadequate, non-existent, or poorly maintained cybersecurity and data privacy programs.

Keeping coverage – especially after a cyber attack or data breach – is not a given either. As the threat landscape changes, an organization is likely to face higher premiums and new terms to retain coverage. 

Just like implementing and maintaining cybersecurity and data privacy mechanisms takes agility and constant vigilance, meeting the terms of a cyber insurance policy requires the same. Leveraging a partnership with a cybersecurity and data privacy consultant can mean the difference between having the benefits of cyber insurance available or not. 

In this guide, we’ll take a complete look at obtaining and retaining cyber insurance for your organization. We cover: 

Cyber insurance is relatively new in the world of cybersecurity. 

Though not an active part of the physical or virtual cyber defense that stops hackers from infiltrating a network or accessing data, it has become a vital component in an overall protection strategy.  

A financial safety net of sorts, cyber insurance provides funding in the immediate aftermath of an incursion or theft of data. Essentially, it prevents an organization from going into financial ruin because of a bad actor’s actions while furnishing a financial lifeline needed for recovery.  

For an organization’s general counsel, understanding cyber insurance and how policies work is as important as understanding existing cyber threats and the risks associated with not being prepared. 

Cyber insurance, cyber insurance coverage, cybersecurity insurance, what is cyber insurance, what is cyber liability insurance, cyber liability insurance, cyber risk insurance, cyber insurance cost, types of cyber insurance coverage, cyber errors and omission insurance

Cyberattacks are a very real and present danger to all types of organizations. Adversaries do not discriminate against who they target. As long as there is the potential for gain from infiltrating a network or stealing data, that is reason enough. 

The numbers tell a concerning story: Not only has the frequency of cyberattacks grown exponentially in recent years, the attacks are also becoming increasingly subtle, sophisticated, and targeted. In addition, the costs associated with recovering from an attack – generated by deep-dive investigations, fines, penalties, lost revenue, etc. – are going well beyond the $1 million mark

As someone tasked with making sure an organization is protected from legal, financial, and reputational threats, a general counsel plays an important role in advocating for and selecting a cyber insurance policy. In addition to evaluating the policy and its provisions, the general counsel can also help determine if the coverage is appropriate and the best value for the dollar. 

A Closer Look at Cyber Insurance 

Like any other form of coverage, cyber insurance is an additional layer of protection for a worst-case scenario. Having coverage can mean the difference between a successful recovery from an attack or breach, and bankruptcy or shutting down

A funding source for both the immediate and long-term aftermath of an attack, cyber insurance helps organizations pay for the costs associated with an infiltration of their networks or compromised data such as: 

  • Repairing hardware
  • Network damage
  • Recovering stolen or corrupted data
  • Ransoms and extortion payments 
  • Legal fees and fines
  • Lost revenue 

Though an expense, cyber insurance minimizes the direct impact of a cyberattack on an organization

Types of Cyber Insurance 

Cyber insurance breaks down into three categories of protection: 

  1. First-party cyber liability insurance 
  2. Third-party cyber liability coverage
  3. Cyber errors and omission insurance


1. First-Party Liability Coverage

First-party cyber insurance is the most common form of coverage. At its core, a first-party cyber insurance policy serves as a funding source for the damages from a cyberattack, reducing the monetary impact of a breach on an organization.  

During the first few hours and days after an attack, first-party cyber liability policies typically cover:  

  • Operational expenses
  • Extortion fees (ransoms) 
  • Forensic investigations  
  • Notifying those affected by an incident
  • Public relations efforts

In the weeks and months after an attack, first-party cyber liability policies cover the expenses of:

  • Ongoing data restoration and recovery efforts 
  • Attorney and court fees 
  • Judgment claims
  • Fines and fees for non-compliance 


2. Third-Party Liability Coverage

Third-party coverage extends to those organizations that a business or company works with, and is liable for, such as its partners and vendors. In the event of a cyberattack against an affiliate, the primary organization is spared from some of the expenses of network infiltration or data compromise.  

Be warned: third-party liability coverage does not provide the same level of protection as first-party liability coverage. Rather, it is an enhancement to the latter.


3. Cyber Errors and Omission Insurance 

Addressing cyber risks from a different perspective, cyber errors and omission (E&O) insurance protects an organization should its products or services be the reason for a cyberattack against a user.

Similar to first-party cyber liability insurance, cyber E&O insurance provides coverage for expenditures such as legal fees, fines, and judgment claims. Such policies are, however, not all-encompassing, meaning they only provide coverage for the costs directly associated with the incident. 

What Cybersecurity Insurance Does Not Cover

Having a cyber insurance policy is no guarantee of immunity from the financial impacts of a breach. Like other forms of insurance, there are elements of an incident that are simply not covered. 

When looking for comprehensive coverage, be aware that cyber insurance policies usually do not provide coverage for:

The High Cost of Being Uninsured

Cyber insurance is in many respects a form of assurance that an organization has the opportunity to recover from a cyberattack rather than being bankrupted by one. 

On average, cyberattack and data breach costs in 2021 averaged $4.24 million – up from $3.86 million the previous year. As the frequency and depth of attacks are expected to only increase, the financial impact on organizations is expected to follow suit

Without cyber insurance, an organization is forced to foot the bill for recovery on its own – expenditures that could put it out of business. 

Not having cyber insurance costs organizations in other ways, as well. 

As a potential vendor or partner to another organization, having a cyber insurance policy can mean the difference between moving forward in a relationship and not. Many organizations require those they formally partner with to have a cyber insurance policy. A lack of such coverage in a partner may mean that there is virtually no financial relief available to an organization suffering the impacts of a cyber incident or data breach inflicted on the organization with whom they are affiliated. 

Holding a cyber insurance policy also serves as a motivating factor in driving an organization to better protect itself from digital adversaries. To retain coverage, most insurers require that policyholders maintain a certain level of cyber defense and implement established data security protocols. In essence, cyber insurance helps reduce an organization’s risk profile by forcing it to stay on top of its cybersecurity and data protection programs.  

Data Privacy vs. Data Security vs.
Data Governance

Discussions about keeping data safe usually include terminology such as “data privacy,” “data security,” and “data governance.” While these terms indeed have a place in such conversations, they are often misused and misunderstood

In the case of obtaining or retaining cyber insurance, most insurers take an in-depth look at an organization’s existing cybersecurity and data privacy practices before drawing up a policy. Having robust data security, privacy, and governance helps satisfy the insurer’s concerns and may translate to substantially lower premiums. Without them, an insurance provider may outright deny coverage or require an organization to develop and implement data management controls to obtain a policy.

Both individually and collectively, all three elements of data protection are vitally important to creating a well-rounded and successful data management strategy

Data privacy vs. data security, data privacy vs. data protection, data privacy, what is data privacy, data security and privacy, data security, what is data security, cybersecurity and data privacy, cyber insurance, cyber insurance coverage, cybersecurity insurance

Understanding Data Privacy vs. Data Security vs. Data Governance

What is Data Privacy?

Data privacy – sometimes also referred to as “information privacy” – is the laws and regulations for how organizations collect, process, store, and share protected data. 

In most countries, data privacy is a right, and individuals have the final say in how an organization manages and shares its data, including:

  • Name
  • Address
  • Social security number
  • Financial information 
  • Health information
What is Data Security?

Data security refers to the processes and procedures that protect data from unauthorized access, use, or alteration. At their core, data security measures keep data from falling into the hands of those with malicious intent.

Some of the most common data security mechanisms include: 

  • Firewalls
  • Encryption
  • Network access control 
  • Multi-factor authentication
What is Data Governance?

Data governance is the foundation on which the pillars of data security and privacy stand. In simplest terms, data governance is the internal policies for how an organization handles the data it collects.

Data governance comprises:

  • Data retention policies
  • Data storage locations
  • Access controls
  • Decision-making procedures and authority
  • Contingency plans
  • Auditing procedures
Remember: There is never a conflict between data privacy, security, and governance – all three complement each other in an effective data management strategy.

Maturing Data Privacy Governance & Cybersecurity Programs

As companies increasingly collect, process, and store data, they have also become more enticing to adversaries looking to carry out a cyberattack. Stolen data and disabled networks carry a high premium. 

In the eyes of an insurer, this additional vulnerability impacts an organization’s risk profile. 

Having mature cybersecurity and data privacy programs in place is almost a prerequisite for obtaining cyber insurance. Another form of protection against the effects of a network or data breach, cyber insurance goes hand-in-hand with cybersecurity and data privacy programs. 

However, cyber insurers will not take on unnecessary risk. In evaluating an organization for coverage, they look more favorably on those that have more than just the basics to keep their digital assets safe. In other words, cyber insurers much prefer covering organizations that exceed their requirements for cybersecurity and data privacy protections. 

The stronger an organization’s cybersecurity and data privacy frameworks, the more coverage options an insurance provider may offer and the lower premiums may be. 

What Constitutes “Maturity” in Cybersecurity and Data Privacy Programs?

Mature Cybersecurity Program 

A systematic approach to protecting computer networks and systems, a mature cybersecurity program features three overarching components: 

1. Defined Policies and Procedures

Defined policies and procedures leave little question about an organization’s standards and practices for its cybersecurity. They are:

  • Easily understandable 
  • Provide mechanisms for reporting suspicious activity 
  • Enforce consequences on those found not following guidelines


2. Organizational Buy-in

From the CEO to the rank and file employees, everyone should be on the same page with maintaining cybersecurity. Employees should receive regular cybersecurity training on suspicious emails, social engineering attempts, and proper data handling.

Decision-makers should review what to do in the event of a network breach as often as their quarterly reports.


3. Tools and Technology

An organization’s cybersecurity defenses are only as good as the tools it is using. Utilities such as end-point protection and anti-malware software are musts at a minimum. Further, an organization may want to consider advanced technologies like artificial intelligence for predictive analysis of  potential future threats.

Mature Data Privacy Program

A mechanism for keeping private data out of the wrong hands and within the parameters of laws and regulations, mature data privacy programs should include: 


1. Data Inventory and Mapping 

Data inventory and mapping examines all the data an organization touches, uses, and collects. By understanding what data an organization has, where it lives, and who has access to it, decision-makers are able to better protect it from unauthorized access or theft. It can then identify and protect sensitive data that may require additional safeguards.


2. Data Retention Policies and Procedures

Data retention policies are guidelines dictating how long an organization is required to keep customer information before deleting it. The purpose is to provide protection against litigation over lost records that an individual may need to prove claims, as well as address legal requirements such as those imposed by law or industry best practices.


3. Privacy Policies

A privacy policy should be clear and concise, informing the individual or customer about what data is being gathered and why. It should also let the customer or user know that the organization did, in fact, gather their data and what their intentions are with it. The privacy policy should be easy to find on the organization’s website and updated regularly.

Common Cybersecurity & Data Privacy Program Immaturities

Cyberattacks have exponentially increased in recent years. While it might seem logical to attribute the uptick in attacks to adversaries becoming more cunning, that is only part of the story. In reality, hackers are able to gain access to a network by exploiting basic, yet common, gaps in cybersecurity. 

Put simply, immature cybersecurity and data privacy programs can have big costs – especially when it comes to cyber insurance.

Despite many organizations taking steps toward stronger network security and compliance with data privacy regulations, three common issues persist that keep programs for both from being considered mature. 

Many organizations have simply not prioritized their cybersecurity and data privacy programs. Rather, they do the bare minimum necessary to meet security and compliance standards.

Cybersecurity Gap -- firewall protection shield

Oftentimes, organizations have: 

  • Unused or underutilized security software and licenses 
  • Siloed or out-of-date security tools and technologies
  • A lack of multifactor authentication 
  • Few measures are in place to determine if tools are working 
  • Compliance programs that see little attention

Unfortunately, many organizations put themselves at risk because they do not dedicate adequate resources to protecting themselves. The demand for security talent and a shortage of qualified experts has caused many organizations to be understaffed or lacking in necessary skills.

Out-of-date or ineffective defense mechanisms also make it easy for significant gaps to go unnoticed or unaddressed; this is particularly true in an understaffed environment. Once a breach is identified, many organizations also lack a formal incident response plan to mitigate threats and recover.

Cyber Insurance and a Cybersecurity Consultant: Why You Need Both


While cyber insurance helps mitigate some of the costs of a cyberattack, it cannot defend against an attack itself. In an overall strategy to circumvent and limit the effects of an attack, cyber insurance is half the equation. The other half is having robust cyber and data security measures in place. 

Like obtaining and retaining cyber insurance, creating effective safeguards against digital adversaries is not an easy task. Nor is it a one-time endeavor. That is where a cybersecurity consultant is crucial. 

Having a solid partnership cybersecurity consultant or vCISO (virtual chief information security officer) gives an organization peace of mind. It also does the same for an insurer providing coverage to an organization. 

cuber insurance cybersecurity partner

How Cybersecurity Consultants Compliment Cyber Insurance

Cyber insurance is now as essential in business as general liability insurance or any other insurance that is designed to ensure the survivability of an enterprise. Driven by increases in threats, new compliance requirements, and attack frequency, the cyber insurance market is expected to grow from $7.6 billion in 2021 to $36.85 billion by 2028.

However, it comes with a corresponding, and not insignificant, bite out of the bottom line

Yet, just as a good driving record can lead to lower auto insurance premiums, demonstrating a lower risk factor to a cyber insurance underwriter can keep the cost of premiums down. A cybersecurity consultant helps an organization reduce its risk level and optimize insurance coverage, manage premiums, and ensure compliance with constantly evolving security frameworks and privacy regulations, while also staying on top of the latest cyber threats.  

A cybersecurity consultant bridges the gap between the general counsel and a cyber insurance carrier by providing: 

Need a Break?

Download this guide to finish when you’re ready:

Beyond Cyber Insurance Requirements: The Role of a Cybersecurity Consultant

The reality of the global threat of cybercrime and cyberwarfare has inspired a growing list of new regulations and laws designed to defend against such attacks. While largely beneficial, these new rules also create challenges for organizations. Organizations must not only achieve and maintain compliance but also understand and acclimate to new and existing regulations to fully recognize their defensive purpose.

It is prudent, therefore, for the general counsel to work closely with a cybersecurity consultant to make informed decisions about how to:

  • Work within a regulatory framework to protect the organization against cyberattacks
  • Develop a cyber incident response plan 
  • Remain in compliance with applicable data protection laws

A cybersecurity consulting partner will also provide valuable insight as the general counsel works with internal information security staff to implement programs that help an organization prepare for, and quickly recover from, inevitable cyber incidents that:

  • Minimizing damage to the corporate reputation 
  • Mitigating the loss of key data
  • Determining the source of the incursion
  • Avoiding litigation and penalties by enacting a rapid and appropriate recovery plan
  • Communicating regularly with the cyber insurance provider
  • Ensuring an organization acts in ways consistent with its insurance policy


5 Tips for Working with a vCISO

An on-demand data security and privacy service provider, a virtual Chief Information Security Officer (vCISO) who works for an organization remotely.  A vCISO can help build, improve, and maintain a robust and reliable cyber- and data-security program. 

While a vCISO and general counsel (GC) fill two distinctly different roles in an organization, their work goes hand-in-hand – especially when it comes to maintaining cyber insurance coverage. 

At their core, both the vCISO and GC share a common goal – protecting an organization. To maximize a working relationship, a GC and vCISO should:

1. Communicate

Communication is crucial in any relationship. GCs and vCISOs must be on the same page when it comes to assessing and mitigating risk. Neither party should be bashful about speaking up – sometimes hard conversations are the best, as they keep an organization proactive in staving off cyber threats.


2. Set Defined Expectations

One of the most dangerous things for an organization is when they engage outside resources without a clear picture of the intended outcomes of an engagement. Having the goals and deliverables clearly defined from the start of a relationship helps alleviate concerns or misunderstandings in the future. In addition, having expectations literally spelled out creates a means for accountability.

3. Understand the Threat Landscape

Cyber risks are higher than ever. Encrypted threats, ransomware, jackware, breach attempts, and nearly every other form of cyber-attacks rose by double or triple digits in 2021. Cybercriminals continue to evolve tactics.

A vCISO and GC should have regular conversations about where they see threats coming from and discuss ways to address them.

4. Be Familiar With the Regulatory and Compliance Landscape

Next to security, meeting compliance regulations and laws is the most important thing for data management and network security. Without having a grasp of the latest compliance laws and regulations, it becomes nearly impossible to develop programs that keep an organization secure and in compliance. Non-compliance is very costly to an organization, often meaning fines and penalties beyond the five-figure mark. 

5. Practice Incident Response Readiness

The only thing worse than a cybersecurity or data privacy breach happening is not being ready to respond immediately. If an organization cannot respond quickly, the damage and fallout from an incursion are far greater.

Organizations need to have a formal cyber incident response (IR) plan in place and test it regularly. Practicing a simulated response to incidents allows both a GC and vCISO to evaluate the effectiveness of the plan and make refinements.

Cyber Insurance Coverage Checklist: What to Look for in a Policy


While no organization ever wants to find itself in the position of needing to use its cyber insurance, the only thing more frustrating is finding coverage is not available because of the policy’s provisions.

A cyber insurance policy should be the last thing an organization needs to worry about – especially when it is needed most in the aftermath of a breach

Regardless of the carrier or the amount of available coverage, every cyber insurance policy should be scrutinized before signing on the dotted line. This cyber insurance coverage checklist will help make sure you find a policy that suits your organization’s needs. 

Businessman at table cyber insurance coverage checklist

Cyber Insurance Coverage Checklist: 7 Things Every Cyber Insurance Policy Should Have

Your cyber insurance coverage should be tailored to your unique organizational needs and risk profile. When evaluating a policy, evaluate it for these seven provisions:

  1. Ransomware payments and recovery: The ransom paid to an attacker and other expenses including hiring a negotiator. 
  2. Data restoration: This covers restoring damaged data and software destroyed by malware or any other cyber attack.
  3. Loss of income: This includes recovering lost profits, fixed expenses, and other costs while your network is down as well as costs to restore operations. Some policies include coverage for lost profits from reputational damage or decreased valuation.
  4. Legal expenses and fees: This includes costs related to legal representation for your organization in the event of a lawsuit brought against you in the wake of an attack. Some policies will also cover penalties, fines, or hearings from regulatory agencies. 
  5. Data breach notification: This includes costs associated with notifying anyone affected by the data breach. Some regulations require businesses to notify consumers who are affected. 
  6. Digital forensics after a breach: This includes the cost of investigating, isolating, and removing a threat. It also covers the costs of hiring cybersecurity professionals to get a clear picture of the size and scope of a breach and to help get your cyber and data security programs up and running stronger than before.
  7. Fraud and credit monitoring: This includes credit monitoring costs and costs associated with creating a call center for impacted customers.

If you provide services to others or connect to other networks, you may also want to consider third-party cyber liability coverage to protect you in case an error or omission on your part causes damages to others.

Tapping Your Cyber & Data Breach Insurance Post Attack

While having insurance allows for a sigh of some relief in a worst-case scenario, there is no pleasure in tapping into coverage. Using insurance of any kind means something bad happened. 

Like any other form of coverage, cyber insurance is something an organization would rather have and not need than need and not have. In cases of using cyber and data breach insurance, an organization has fallen victim to a hacker gaining access to its networks and private data. 

Though post-cyberattack conversations are the last thing anyone wants to have, they are a necessity to move forward in the recovery process. By coming to the table prepared, those hard conversations are a little easier and streamline the initial stages of getting back to pre-breach business as usual.

Talking With Your Cyber & Data Breach Insurance Provider Post-Breach 

After a cybersecurity or data privacy breach, one of your first steps is to execute your breach response and notification plan. The sooner you start, the sooner you can start filing an insurance claim. 

For your data breach insurance provider to effectively help your organization, they need as much information as possible from the onset. Key details to share in the immediate aftermath of a breach include: 

  1. When the breach was discovered 
  2. How the breach was discovered – did a member of your team or a client alert your organization or did a component of your cyber defenses? 
  3. The immediate impact of the breach on your organization – is it limited to data or are operations affected? 
  4. The extent of any known data loss, including what data was taken and how much 
  5. Who any data loss is reportable to – do you need to notify regulators, clients, customers, or employees?
  6. The type of help your organization needs — breach coach, crisis communications, forensics, negotiators, identity theft protection, etc.; 
  7. Whether law enforcement is has been notified and if they’ll need to be involved 
  8. Any communications with a threat actor to this point


Whether you are an organization’s general counsel, CISO, risk management professional, or member of its IT team, there are some important questions you should ask your insurer to move forward in starting the claims process:  

  1. What additional information does the insurer require?
  2. Are there any deadlines to be aware of?
  3. What services are provided according to your organization’s policy (think: breach coach, crisis communications, data forensics)? 
  4. Is your organization allowed to choose its own post-breach service providers? 
  5. Are there limitations on the policy for certain workstreams?
  6. Who do firms referred by the insurer report provide reports to? Is it the insurer or your organization? do they work directly and exclusively for us?
  7. Is there anything we should not do that would jeopardize a claim?

Talking With a Data & Cybersecurity Consultant After a Breach 

As with cyber insurance, having a data and cybersecurity partner on hand is invaluable after a breach. Their work after a breach occurs can help an organization circumvent becoming a victim a second time. 

Like an insurer, a data and cybersecurity partner will want to know as much as possible about the incident. You should expect to be asked: 

  1. What is the status of the attack – is it still in progress, contained, or over?
  2. How did the attack happen?
  3. How did your team respond to the attack? 
  4. What have you done to start the recovery process – has your organization taken corrective action and if so, what?
  5. Are there any immediate weaknesses that you’ve identified in your defenses, and if so, what are they? 
  6. What cyber and data security defenses did your organization have in place before the attack?
  7. Has your organization ever had an external & internal penetration test
  8. Has your team ever run tabletop exercises or completed any practice drills for a breach?

Similar to speaking with your organization’s cyber insurance provider after a breach, you should have questions ready for a cyber and data security consultant. Generally speaking, your checklist of questions should include: 

  1. What additional information is needed? 
  2. What post-breach services does the consultant provide?
  3. How soon can work start? 
  4. What do our short-term and long-term engagements look like?
  5. Who is the main point of contact?
  6. What is the payment for services schedule?
  7. Does the firm provide cybersecurity and data handling training? 
  8. What reports or documentation will be delivered? 

The #1 Takeaway From a Breach

The last thing any organization wants is to find out its cyber defenses were subverted and its data was compromised. Breaches cause a host of problems and start an organization on a long road to fully recover. 

For any organization that has become an adversary’s latest victim, a breach should underscore the importance of being prepared. In an overall cybersecurity and data privacy strategy, robust and always-on defenses are only one, albeit critical, component. Having the mechanisms in place to respond to a network intrusion can mean the difference in a successful recovery. 

The most effective breach recovery measures – such as a cyber incident response plan – are developed by an organization in concert with a cybersecurity partner. Whether they are a member of your team or from a cybersecurity consulting service, a cybersecurity partner has the expertise to create a breach response roadmap that expedites 

From a cyber insurance perspective, having breach recovery mechanisms in place is a requirement for most policies. Without an incident response plan or other measures ready, some insurers may deny claims or stop covering an organization.

Moving Forward From a Breach 

With adequate preparations, a breach in cybersecurity and data privacy is not the end of the world for an organization. Though a successful cyberattack presents a host of challenges, having the resources for recovery available (cyber insurance and a cybersecurity partner) makes the process less painful. 

Whether your organization is using its cyber insurance policy or working with a cybersecurity partner, getting the most from either means asking the right questions and having honest conversations