A cyber policy is easier to understand once you see that it answers two very different bills. One pays for cleaning up your own mess. The other pays for what you owe the people your incident affected. Knowing which half is which, and whether both are sized right, is most of what matters.
First-party: your own losses
First-party coverage generally responds to the costs you absorb directly when something goes wrong. It is the money you spend recovering. That typically includes investigating the breach, restoring lost or corrupted data, income lost while your systems are down, extortion or ransomware payments and the negotiation around them, and the cost of notifying affected people. When ransomware locks your files or an intrusion takes your systems offline, this is the side that pays to get you running again. It is the coverage most owners can picture, because the losses are your own and immediate.
Third-party: what you owe others
Third-party coverage generally responds to your liability to other people affected by the incident. If client records are exposed, affected clients may bring claims, and this side answers those, along with the defense costs to fight them and sometimes regulatory matters that follow. The plaintiff here is someone outside your firm, and the allegation is that your incident harmed them. This side can be slower and larger, because it plays out through claims and litigation rather than a cleanup you control.
Why one incident triggers both
The reason a firm usually needs both halves is that a single event rarely stays on one side. Ransomware that locks your systems is a first-party loss the moment it hits. If that same event exposed client data, it becomes a third-party exposure the moment affected clients respond. The firm is paying to recover its own operations and defending claims from others at the same time. A policy that is strong on breach response but thin on liability, or the reverse, leaves one of those two bills partly uncovered.
The limits detail
Both halves being present is not the whole story. Cyber policies often carry different limits and sublimits for different coverages. A policy might advertise a headline limit while capping ransomware, or social engineering, or notification costs under smaller sublimits. Two policies with the same top-line number can respond very differently to the same event. That is why the review is not just do I have cyber, but how much of each part do I actually have.
Which one fits
For a professional firm that holds client data, this is rarely an either-or. The realistic answer is a policy that covers both sides, sized to how each kind of loss would actually hit you. A firm that stores a lot of sensitive client information leans harder on the third-party and notification side. A firm whose operations would grind to a halt if systems went down leans harder on business income and restoration. You want both present, and you want the half that matches your bigger risk sized accordingly, not left under a small sublimit.
Questions to ask your advisor
- Does my cyber policy include both first-party and third-party coverage?
- What are the sublimits on ransomware, notification, and social engineering?
- Which half matches my bigger exposure, my own downtime or client data liability?
- How do defense costs work on the third-party side, inside or outside the limit?
- Would a single incident that locks systems and exposes data be fully covered?
First-party cyber pays to fix your own mess. Third-party cyber pays for what you owe the people your incident affected. A real breach usually creates both at once, which is why most professional firms need both halves present and sized to the risk. The policy question is not simply whether you have cyber, but whether each side is built to answer the bill it is meant to.
Want guidance first? Compare your coverage. Already know what you need? Get a quote.