Related resources

Related resources

Related resources

First- and third-party coverage for tech companies: what's the difference?

2017 marked a record-setting year for business data breaches, with 1,579 data breach incidents.

As cyber coverage changes to meet evolving risks, there may be confusion about the difference between first- and third-party cyber insurance coverage. Some insurance carriers focus on selling first-party cyber coverage. But for many companies — particularly tech companies that deal with other businesses — third-party cyber coverage is often much more important.

Need-to-know cyber terms

First-party cyber coverage:
protection for the data you own, such as information that pertains to your customers or employees

Third-party cyber coverage:
protection for liability associated with your customers' data, among other things

Privacy breach:
an incident that results from failure to protect private, personally identifiable information

Security breach:
an incident that bypasses security systems to result in unauthorized access or release of sensitive or confidential data

Electronic media breach:
infringement of a service mark or trademark

To make sure they have the most comprehensive coverage possible, tech companies need to understand the value of both.

Consider a software vendor that designs a program to help sales firms pay their independent contractors. The software utilizes and stores names, social security numbers and other personal information for more than 1 million contractors on its servers.

That information is breached.

In this case, first-party coverage would not protect the software vendor since the vendor does not "own" the information — it belongs to the customer. Third-party coverage, however, would provide important protection for potential liability associated with this breach, including the costs the customer incurs for notifying the potentially affected parties.

What is typically a confusing element to businesses is that the first-party exposure of their customers could be their own third-party exposure.

Tech companies should work with their independent agents to assess how much personal information the business owns, and the breadth of customer information they access. This can help independent agents more appropriately determine the cyber coverage and limit needs for each company.


Toby Levy

​​​​​About the author

Toby Levy is vice president and leader of the technology business unit at The Hanover. A 25-year veteran of the insurance industry, Toby leads a team focused on the technology insurance market.





LC OCT 2018-496