Data Breach Insurance: What It Covers, What It Costs, and How to Size Your Limits

The average U.S. breach costs $10.22 million, according to IBM’s 2025 Cost of a Data Breach Report. Forensics, notification, legal defense, regulatory fines, litigation. All in one bill.

Most CFOs have no idea what those costs break down into. They don’t know how much to buy. They don’t know what their policy covers.

Data breach insurance transfers those costs to an insurer. It won’t stop a breach. It makes the aftermath survivable. When systems go down and data leaks, insurance brings forensic firms, legal counsel, and crisis teams within hours.

Here’s what you need: what gets covered, what doesn’t, how much to buy, what it costs, and why underwriters accept some companies and reject others.

What Data Breach Insurance Covers

Policies split into two buckets: first-party costs and third-party costs.

First-party costs are what your company spends to respond. Verizon’s 2025 DBIR puts the average dwell time at 241 days. When you find one, the meter starts.

Forensics comes first. You hire investigators to find what happened, which systems got hit, which data leaked, and how attackers got in. Cost: $25,000 to $500,000 depending on scope. Good firms preserve evidence for court and regulators. You’ll need that later.

Notification follows. Every U.S. state requires it. Most require it within 30-60 days. Cost for 100,000 people: $50K-$150K depending on method and vendor.

Credit monitoring comes next. Most states require 1-3 years of coverage. Cost per person: $25-$75. Large breaches get expensive fast.

Legal fees stack up. Counsel for notifications, regulatory interpretation, regulator negotiations, shareholder suits. Cost: $150K-$500K depending on breach size and litigation.

Crisis management matters. Firms managing reputation, talking to customers, controlling the story. Cost: $50K-$200K for major companies.

Business interruption hits too. Systems down means no revenue, overtime, lost orders. Some policies cover it. Many skip it.

Third-party costs are what others sue you for after a breach.

Regulatory defense covers fines and penalties from state attorneys general, the FTC, state privacy commissioners, and sometimes the SEC. Under California’s CPRA, penalties run $107 to $799 per consumer per incident, adjusted for inflation each year. If your breach hit 50,000 California residents, the exposure is staggering. Some policies cover regulatory defense costs including attorney fees and fines. Others cover only attorney fees and leave fines on you.

Breach litigation defense covers lawsuits from consumers whose data was stolen. These suits claim your security was weak, your encryption was missing, or your standards fell short. Class action settlements in breach cases range from $50,000 to several million dollars depending on breach size, data type, and perceived negligence.

Regulatory settlements are growing more common. Agencies settle breach claims before full enforcement. These settlements require payment to the government, security upgrades, and ongoing monitoring. The FTC has settled with companies for millions over negligent practices.

Privacy liability covers lawsuits beyond breach response: unauthorized disclosure, failure to honor deletion requests. These overlap breach coverage but extend into privacy governance.

What Data Breach Insurance Does NOT Cover

Know the exclusions.

If employees steal data on purpose, or you knowingly send unencrypted data, insurance won’t pay. It covers mistakes, not fraud.

Underwriters ask: have you had a breach? If yes and you kept quiet, they’ll deny claims tied to that breach. Repeat offenders get declined or priced out.

Most policies exclude breaches from military action or foreign state operations. Some exceptions exist. Negotiate them.

If you promised a customer $500/record in case of breach, and that exceeds your policy, insurance won’t cover the gap.

Some policies exclude breaches of unencrypted PII or payment card data. Store sensitive data without encryption and get breached? You’re on your own. Critical issue.

If your plan requires EDR and it wasn’t running when the breach hit, insurers can deny coverage. Carriers enforce this more every year.

How to Calculate How Much Coverage You Need

Use math. Don’t guess.

Start with your records. How many trigger notification if exposed? Count names, addresses, SSNs, driver’s license numbers, payment data, health records. Healthcare: patient records. Finance: customer financials. Retail: cardholder data and linked emails.

Apply a cost-per-record framework. IBM pegs the U.S. average at $276 per stolen record. But it varies by industry. Healthcare: $636 per record. Financial services: $300. Technology and professional services: $180. These figures include forensics, notification, credit monitoring, legal defense, regulatory fines, and litigation.

Example: 500,000 patient records at $636/record = $318M theoretical max. Your practical max is lower. You won’t lose all records at once.

Layer in regulatory exposure. HIPAA, CCPA, GLBA, GDPR all carry fines. CCPA alone: $107-$799 per person per incident. California’s AG enforces aggressively. SEC rules require disclosure within 4 business days of material breach discovery.

Check contracts. Do customers require cyber insurance? Most ask for $5M-$25M. Some want you named as additional insured. That’s your floor.

Think about risk tolerance. What breaks your balance sheet? A small manufacturer: $2M. Mid-market finance: $10M manageable, $50M worst case.

Most mid-market companies land on $2 million to $10 million. Enterprise companies carry $25 million to $100 million. The jump from $5 million to $10 million costs 20%-35% extra premium. Right-sizing matters.

What Data Breach Insurance Costs

No published rate card exists. Premiums depend on industry, size, security, claims history, limits, and deductibles.

Small company (under 100 people), low-risk, basic controls: $2K-$5K/year for $1M limit. $8K-$15K for $5M.

Mid-market (500-2K people), higher-risk (finance, healthcare, tech): $15K-$50K/year for $5M. $40K-$100K for $10M.

Enterprise: $100K-$500K per year depending on size, industry, and history.

What drives your rate:

MFA, EDR, vulnerability scanning, patch management, network segmentation, training. Show these and rates drop. Skip them and you pay more or get declined.

Clean record? Better rates. Two breaches in 5 years? Much worse. Recent claims get declined.

Healthcare and finance pay more. Patient records sell for more on the dark web than employee directories.

California and GDPR companies face higher exposure. Premiums reflect it.

Heavy vendor use raises risk. Carriers ask about vendor due diligence.

SaaS with millions of users: higher exposure than consulting firms with hundreds of clients.

Higher deductibles cut premiums. Most companies pick $25K-$100K. Choose higher only if you can pay it post-breach while managing other costs.

Data retention policy matters too. Keep 5 years of customer data but need only 2? You carry needless risk. Delete old data. Reduce exposure. Lower premiums.

The Breach Response Timeline: The First 72 Hours Matter

Insurance does more than pay bills. It runs your response.

Find a breach? Call your broker’s incident hotline. This triggers counsel, forensic firms, response vendors. The insurer has pre-negotiated rates with these vendors. You get experience right away. No scrambling. No emergency price gouging.

First 24-48 hours: forensic firm starts. Goal: understand scope. How many records? Which systems? When did it start? Scope drives notifications, regulatory exposure, and your insurance claim.

First 72 hours: think regulatory notification. Most laws give 30-60 days. Some say “without unreasonable delay.” SEC: 4 business days on Form 8-K for material breaches. Counsel helps you assess materiality fast.

Your incident response plan should outline triggers. More than 500 records? Payment card or health data? Customers in a specific state? Your plan needs decision trees. Carrier counsel walks you through them.

Forensics takes 2-6 weeks. You collect evidence, secure systems, document what happened. Do this through insurance counsel. Counsel keeps it under attorney-client privilege. Regulators and plaintiffs can’t see it without consent.

After forensics: notification planning. For 100,000 people? You need vendors managing notifications, credit monitoring companies, counsel ensuring state-by-state compliance. The insurer coordinates all of it.

Total timeline: discovery to notification end = 60-90 days. Costs pile up every day: forensics, notification, credit monitoring, legal, crisis management. The claim coordinator tracks it all.

How Underwriters Evaluate Your Application

Underwriters dig into security. Not just revenue.

Remote access and admin accounts. No MFA? Expect a decline or steep premium.

Endpoint detection and response on critical systems. You need visibility. Without it, you’re blind to threats.

Ransomware now hits 44% of breaches, Verizon reports. Network-connected backups get encrypted too. You need offline copies.

Documented program covering phishing, social engineering, password security. Show completion rates.

Written. Clear roles for notification, forensics, communication, oversight.

How fast do you patch after release? Formal SLA for critical patches?

Who has your data? Have you vetted their security? Do contracts require specific standards?

What do you keep? How long? Delete what you don’t need. Reduce exposure.

These factors work on a spectrum. Mature controls earn lower premiums. Clean history earns lower premiums. Prior claims push premiums up.

Get Your Data Breach Coverage Review

Right-sizing breach coverage starts with knowing your record count, your regulatory footprint, and where your current policy leaves gaps. Alliance Risk reviews your program and markets your risk to carriers that specialize in cyber and breach response, delivering proposals in a few business days.

• Company revenue, industry, and employee count
• Record count by type (PII, PHI, payment card, financial)
• States and countries where customers reside
• Current security controls (MFA, EDR, backups, training, IR plan)
• Current cyber coverage, limits, sublimits, and carrier (if any)
• 5-year breach and claims history, including near-misses and regulatory inquiries

Speak with a cyber specialist about your breach exposure at no cost.

Already have coverage? We’ll review your existing policy at no charge, flagging thin notification sublimits, missing regulatory defense, weak business interruption terms, and coverage gaps against your record count.

Complete our online form or contact us directly to start the quote process.

Want coverage that brings forensics, counsel, and crisis teams to your door within hours? Let’s talk. Alliance Risk: your specialized partner for data breach insurance.