Cyber liability insurance: How it works and how to assess policies

Read Time: 5 Min
A cyber liability insurance policy can provide first- and third-party coverage for damages when private, financial, or other business-critical information is compromised due to a data breach or network intrusion.

Key takeaways

Cyber risk management is complex, and with today’s quick-moving bad actors, falling victim to a cybersecurity scam can impact your normal business operations and significantly damage your bottom line. According to recent data from Positive Technologies, cybercriminals can penetrate 93% of company networks, gaining access to resources hosted on local servers and networks.

Every connected device within a network represents a potential endpoint for infection. Due to the ever-emerging Internet of Things (IoT) trend within U.S. businesses, this risk only compounds.

Your organization may be at risk if you have the following:

  • System access to the internet.
  • Vendors and suppliers who interface with or have access to your network systems.
  • IoT devices (manufacturing, BYOD employee devices, etc.) endpoints connected to local networks.
  • Online financial transactions, including ACH and accounts payable functions.
  • Online sales and payment card processing (even if outsourced).
  • Business continuity dependent on a particular system or vendor.
  • Sensitive data storage (financial, medical, and employee records).

In short, almost all businesses or organizations today manage cyber risk.

A cyber liability policy can provide first-and third-party coverage for damages when private, personal, and financial information is compromised due to a data breach or network intrusion. Coverage can also provide the funds for an extortion payment if your network has been compromised by malware.

While the exact wording and terms of cyber liability insurance coverage may vary, typically, the coverage consists of and covers the following (subject to the coverage limitations contained in the policy):

First-Party cyber liability coverage (covers costs to the insured business)

  • Data Breach Response: provides a timely response to a security failure or privacy breach, paying for costs of services to assist in managing the cyber incident.
  • Business Interruption and Extra Expense: responds to lost income and continuing expenses arising from a cyber incident when the insured cannot continue operations.
  • Network Extortion: responds to a credible cyber threat from an outsider attempting to extort money, security, or other valuables.
  • Digital Assets: provides payment for the cost to restore damaged or destroyed data, software, and hardware.

Third-Party cyber liability coverage (covers costs others incur)

  • Privacy Liability: covers failing to maintain confidential information appropriately.
  • Network Security Liability: covers failing to maintain a secure network, including preventing transmission of malicious code.
  • Internet Media Liability: covers infringement of copyright, defamation, violations of rights of privacy, and plagiarism arising from a cyber claim.
  • Regulatory: covers actions or proceedings against the insured business by a regulatory agency resulting from violating a privacy law. These regulatory actions may include fines or penalties.

Why do businesses need cyber liability insurance?

Fraud does not discriminate. Breaches are not just impacting Fortune 500 companies in the financial, retail, and healthcare sectors anymore.

  • In the first half of 2022, there were 236.1 million ransomware attacks across the globe.
  • In 2022, the average data breach cost peaked at an all-time high of $4.35 million§.
  • 2021 was another record year of Internet Crime Complaints. The FBI’s IC3 division received 847,376 complaints resulting in an estimated total loss of $6.9 billion.
  • Business Email Compromise was the source of approximately $2.4 billion in adjusted losses, with 19,954 complaints filed.

In the event of any breach, time is of the essence. In addition to financial protection from various cyber exposures, a cyber insurance policy may help with response-related expenses, including crisis services such as forensics, customer notification, and public relations. Some organizations, such as Huntington, have access to a suite of tools that can also mitigate and prevent fraud. These resources can help you respond to an incident more quickly and get back to what’s most important – serving your customers and growing your business.

Assess your risk and consider cyber liability policies with this checklist.

Your cyber liability policy assessment checklist

  • Conduct a full-scale technology and cybersecurity risk audit to get an accurate cyber liability insurance quote. You must clearly understand your organization's technology infrastructure and susceptibility to cyberattacks. A network security assessment or audit can help you evaluate your risks and vulnerabilities and identify areas that need improvement. Insurance providers may also request this information before providing a policy quote.
  • Implement industry best practices to shore up defenses. Once you have a good understanding of your risks, you can take steps to mitigate them. This may include implementing better cybersecurity measures, such as two-factor authentication and data encryption. As you make your organization more secure from a network security perspective, you will have more insurance options available to you which may allow you to pay lower insurance premiums.
  • Request quotes from multiple cyber liability insurance providers. Not all cyber liability insurance policies are created equal. It's essential to compare quotes from various providers to ensure you select the best coverage for your needs. Compare and contrast the various coverage and policy specifics and where they might directly address liability risks.
  • Understand what is covered by a policy and what isn’t. Every cyber liability insurance policy is different, so understanding how the policy will work in the event of a loss is complicated. Additionally, the Insurance industry had to rethink how they price and underwrite cyber policies due to the significant dollars paid out for cyber losses and the disproportionate lower amounts of premium collected. To make cyber insurance viable for the long term, insurers are taking different approaches to increase out of pocket costs for policyholders through higher retentions or co-insurance, limiting coverage for systemic or widespread events, removing coverage for losses caused by end-of-life software, reducing coverage available for extortion if controls are inadequate, and more.
  • Create a cyber incident response plan. If the worst does happen and your organization is hit with a cyberattack, you'll need to be prepared. That means having a cyber incident response plan in place. This document should outline your organization's steps for responding to a cyber incident and who is responsible for each task. Having a plan in place can minimize the damage caused by a cyberattack and get your organization back up and running as quickly as possible.
  • Maintain a long-term view when engaging with organizational leaders. While the cyber insurance industry is ever-changing, it's essential to have a long-term perspective when discussing cyber risks with organizational leaders. This way, you can be sure that you're getting the best coverage for your needs and that your organization is prepared for future cyber threats.
  • Scenario plan against market conditions and potential premium changes. The cyber insurance market is constantly changing, and premiums can fluctuate based on market conditions. In the second quarter of 2022 alone, prices increased by 79% compared to 2021 due to the massive increase in cyberattacks globally and the potential cost of payouts to insurance companies. It's vital to game out scenarios against possible premium changes to ensure your organization is prepared for any cost increase.

Protect your data

Huntington can support you with the insights, resources, and expertise you need to grow and strengthen your organization. Contact your relationship manager to start the conversation.

Related Content

Brooks, Chuck. 2022. “Alarming Cyber Statistics For Mid-Year 2022 That You Need to Know.” Forbes. Accessed October 18, 2022.  

Statista Research Department. 2022. “Annual number of ransomware attacks worldwide from 2016 to first half 2022.” Statista. Accessed October 18, 2022.  

§ Zorabedian, John. 2022. “What’s New in the 2022 Cost of a Data Breach Report?” Security Intelligence. Accessed October 18, 2022.  

Federal Bureau of Investigation Internet Crime Center. 2021. “Internet Crime Report 2021.” Accessed October 18, 2022.  


Wilson, Mike. 2022. “Cyber Insurance Premiums Are Up—And That's Not the Only Industry Shakeup.” Forbes. Accessed October 21,  

The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering tax, financial, legal, technical or other professional advice or services or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL BE LIABLE FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT OR THIRD-PARTY RESOURCES IDENTIFIED IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.

Lending and leasing products and services, as well as certain other banking products and services, may require credit approval.

Third-party product, service and business names are trademarks/service marks of their respective owners.