Can Cyber Insurance Recovery from a Third Party Satisfy a Self-Insured Retention?

Risk Management Magazine

PUBLISHED ON: December 27, 2022

When a particular source of business risk escalates, and insurance claims for losses stemming from that risk rise accordingly, insurance industry response is generally threefold: more exclusions, more claims denials, and higher premiums/retentions.

Cyberinsurance appears to have hit that trifecta. According to the Hiscox 2022 Cyber Readiness Report, median losses stemming from cyberattacks increased by 90% in the United States in 2022. The median rate increase for cyber coverage in Q1 2022 was 37%, according to a May 2022 insurance market report by Gallagher, and retentions have risen accordingly. And as noted in our last Fine Print column, Lloyd’s of London has responded to judicial rulings finding war risk exclusions inapplicable to cyberattacks by prodding syndicates to impose certain exclusions for state-backed cyberattacks.

As the terrain has become more perilous, companies increasingly seek indemnification from outside service providers or business partners to whom a data breach can be traced. In a global economy, businesses necessarily outsource core processes, participate in global supply chains, and rely on multiple partners to process transactions. In a 2021 Ponemon Institute survey, 51% of respondents said their companies had experienced a data breach caused at least in part by third parties.

To read the full article, please click here.


Joshua Gold is a shareholder in Anderson Kill’s New York office, chair of Anderson Kill’s cyber insurance recovery group and co-chair of the firm’s marine cargo industry group. He is co-author with Daniel J. Healy of Cyber Insurance Claims, Case Law, and Risk Management, forthcoming from the Practicing Law Institute.