Phone 202 839-5563 

email sustainable@rightexposure.com

Rightexposure charlie tupitza cyber insurance

Requirements for securing Cyber and Data Breach Insurance

The following contains the minimum acceptable requirements that must be included in a Cyber and Data Breach insurance policy for the Company providing the product or service.

Coverage for Cyber and Data Breach Loses

Coverage must be secured for losses incurred for both Cyber and Data Breach events and the liability and expense that could be incurred by a Company from a range of threats and incidents including:

  1. Liability claims involving the unauthorized release of information for which the Company has a legal obligation to keep private;
  2. Liability claims alleging invasion of privacy and/or copyright/trademark violations in a digital, online or social media environment;
  3. Liability claims alleging failures of computer security that result in deletion/alteration of data, transmission of malicious code, denial of service, etc.
  4. Defense costs in State or Federal regulatory proceedings that involve violations of privacy law;
  5. The provision of expert resources and monetary reimbursement to the insured company for the out-of-pocket (1st Party) expenses.


The term “Cyber Breach” implies coverage only for incidents that involve electronic hacking or online activities and “Data Breach” is in reference to coverage of any private data and communications in other different formats including paper.  As such a Company must maintain a policy from an authorized insurance carrier that provides acceptable levels of coverage for both Cyber and Data Breach events.

Application process

Company should not disclose in an unsecure environment details about the company, (other than publicly available information such as name, address, contact information, etc.) or any information about past cyber and data breach events or losses, as well as the Company’s current cyber security processes or procedures, (other than to answer basic underwriting questions which should not exceed 5 pertaining to past events or losses, and 5 pertaining to current cyber security processes and procedures, for a total of no more than 10 questions).    Examples of basic underwriting questions would include:  


  • Is your Company aware of any current or past circumstances which may indicate that your company has suffered a cyber or data breach?
  • Has your Company ever experienced a cyber or data breach that resulted in a state, federal or other regulatory fine or penalty?
  • Has your Company ever been sued or had other litigation that resulted from a cyber or other form of data breach?
  • Has a subcontractor under the direct supervision of your Company ever reported to you a cyber or other form of data breach that may have comprised data provided by your Company to the subcontractor?
  • Has your Company ever experienced any system intrusions, tampering, viruses or malicious code attacks that resulted in loss of data, or had any hacking incidents, extortion attempts, or other forms of data theft?



  • Is your company in compliance with NIST 800-171?
  • Does your company back up your data and systems?
  • Does your company store these backups in an offsite location?
  • Does your company utilize firewalls and anti-virus applications?
  • Does your company have a process for dual authorizations for the electronic payments or transfer of funds over $10,000.00?


If the underwriting insurance company asks for more detailed questions as part of the application process, (i.e. More than 10 basic underwriting questions) or requires that the Company provide details to fully answer the basic underwriting questions, then the application for the purchase of the insurance must be done in a “secure” format.  Secure is defined as the application must be conducted and stored in a Fed Ramp Certified cloud storage system.

Domicile of Insurance Carrier

The Insurance carrier issuing the policy to the Company to be insured must be domiciled in the USA, UK or an approved US ally. 

Security Breach Hotline

Insurance carrier issuing the policy to the Company must provide the Company with access to a call center or other telephone support that is staffed and available 24/7/365 that the Company may call to notify the insurance carrier of a security breach (suspected or known).   The call center or hotline provided by the insurance carrier must provide access to the Company to breach response council and breach response team(s) and access to other resources provided by the insurance carrier to promptly develop a response plan, and to begin recovery and response activities.

Minimum Coverage Limits

Any Insurance policy must meet minimum coverage limits of no less than $1,000,000.00 USD per claim or in the aggregate of no less than $1,000,000.00 USD  (limits should be set based on the revenue / size of the Company to be insured) with no sublimit for any coverage unless noted as such below.  Coverage should extend to the following:


Coverage for costs incurred to respond as a result of a Security Breach event. Breach Response Costs include the costs of fees, costs, charges or expenses incurred after the discovery of a Security Breach to include:

    • computer forensic professional fees and expenses to determine the cause and extent of the Security Breach;
    • costs to notify any company, client, subcontractor or persons affected or reasonably believed to be affected, including printing costs, publishing costs, postage expenses, call center costs or costs of notification via phone or e-mail;
    • legal fees and expenses
    • Credit Monitoring Expenses of those affected by the Security Breach



Coverage for a claim arising out of any privacy wrongful act that causes harm to any third (3rd) party or Employee.  The coverage must provide liability protection for the Company for the losses due to the unauthorized release of Controlled Unclassified Information (CUI), Personally Identifiable Information (PII), Protected Health Information(PHI), and any corporate confidential information of third parties and employees, and for any privacy breach violation of a person’s right to privacy regardless of  State or Federal specific definitions of CUI, PII or PHI.


Provides coverage for both legal defense and the resulting fines/penalties emanating from a regulatory claim, alleging a privacy breach or a violation of a Federal, State, local or foreign statute or regulation, (including GDRP) with respect to privacy regulations.


Coverage for the Company for allegations of a security wrongful act, including the inability of a third-party, who is authorized to do so, to gain access to the Company’s computer systems due to the failure to prevent unauthorized access to or use of a computer system, and/or the failure to prevent false communications such as phishing that results in corruption, deletion of or damage to electronic data, theft of data and denial of service attacks against websites or computer systems of a third party.   This coverage protects against liability associated with the Company’s failure to prevent transmission of malicious code from their system to a third party’s computer system.


Coverage for defamation, libel, slander, emotional distress, invasion of the right to privacy, copyright and other forms of intellectual property infringement (patent excluded) in the course of the Company’s communication of media in electronic (website, social media, etc.) or non-electronic forms.


Coverage for expenses and payments (including ransom payments if necessary) to a third party to avert potential damage threatened against the Company such as the introduction of malicious code, system interruption, data corruption or destruction or dissemination of personal or confidential corporate information


Coverage for lost earnings and expenses incurred because of an authorized third-party’s inability to access the Company network due to disruption of the Company’s computer system(s) including restoration costs from the alteration, destruction, damage or loss of digital assets.


If the Company maintains or processes credit or payment cards, then the Company must maintain at least $100,000 of PCI-DSS fines and assessment coverage to respond to any fines, penalties or other costs to respond to or levied by the Payment Card Industry Security Standards Council, under the Payment Card Industry Data Security Standards, as well as have coverage for expenses associated with a mandatory audit performed by a Qualified Security Assessor (QSA), certified by the PCI Security Standards Council, after a data breach event.


Company must maintain at least $100,000 of cyber deception coverage for losses from the intentional misleading of the Company by means of a dishonest misrepresentation of a material fact contained or conveyed within an electronic or telephonic communication(s) and which is relied upon by the Company believing it to be genuine which results in a financial loss to the company.


Company must maintain coverage of no less than $100,000 for losses incurred from unauthorized electronic funds transfer, theft of Company money or other financial assets from the insured Company’s bank by electronic means, or theft of money or other financial assets by electronic means, or any fraudulent manipulation of electronic documentation while stored on Company computer system(s) that lead to a transfer of funds based on the fraudulent electronic documentation.


Policy must have coverage and wording that notes that the insurance carrier must defend (duty to defend), the Company for any claim made against the Company seeking damages which are potentially payable under the terms of the insurance policy, even if any of the allegations of the claim are groundless, false, or fraudulent.


The policy must include coverage for any act certified as an “Act Of Terrorism” pursuant to the federal Terrorism Risk Insurance Act of 2002 or otherwise declared an “Act Of Terrorism” by any government or; any act committed by any person or group of persons designated by any government as a terrorist or terrorist group or any act committed by any person or group of persons acting on behalf of or in connection with any organization designated by any government as a terrorist organization; or the use of force or violence and/or the threat thereof by any person or group of persons, whether acting alone or on behalf of or in connection with any organization or government, committed for political, religious, ideological, or similar purposes, including the intention to influence any government and/or put the public, or any section of the public, in fear.

Cyber and Data Breach Liability Insurance: Protecting Small Businesses and Our Nation

This document is for small and mid-sized businesses who are considering acquiring “cyber and data breach liability insurance” to protect themselves against the increasing velocity and complexity of cyber and data breach attacks.

There is a appendix for the CMMC

It is also for larger businesses and governments to help them understand the value of the insurance for their contractors and extended supply chain members.

Some may wish to require subcontractors and suppliers to have proper Insurance in place, as a stipulation to providing goods or services to them.

Please provide feedback associated with this living document!

This white paper is a living document.
We are looking for germane contributions associated with the following topics contained in the body of work. 

  • What is Cyber and Data Breach Liability Insurance
  • What to Look for in an Offering
  • Suggested Requirements
  • Examples of Underwriting Questions
  • Sample Requirements for Contracts
  • Value to the Cybersecurity Model Certification (CMMC)

We would also like to hear of new topics associated with insurance.

Please send comments to insurance@rightexposure.com