A data breach or significant cyber incident rarely ends with the technical response. For many businesses, the more consequential — and more expensive — phase begins in the weeks and months that follow, when government regulators begin asking questions. Federal agencies, state attorneys general, industry regulators, and in some cases multiple jurisdictions simultaneously may open investigations into how a breach occurred, what data was affected, whether the business complied with applicable security and notification requirements, and whether consumers were harmed. The legal defense costs of these investigations, and the civil penalties that can result, are among the largest components of the total cost of a serious cyber incident.

Cyber insurance is designed in part to address this exposure, but the coverage available for regulatory investigations is more limited and more nuanced than many business owners assume. Understanding what your policy covers, what it excludes, and how to use it effectively when a regulatory investigation begins can make an enormous practical difference in how your business gets through the experience. This guide walks through every dimension of the regulatory coverage question.

What Types of Regulatory Investigations Follow a Cyber Incident

The range of regulatory bodies that may take interest in a data breach or cyber incident is broader than most business owners expect. At the federal level, the Federal Trade Commission has authority to investigate unfair or deceptive acts and practices, and the FTC has consistently taken the position that failing to maintain reasonable data security is an unfair practice. An FTC investigation following a data breach can result in a consent order requiring the business to implement a comprehensive information security program subject to independent auditing for twenty years — a significant and enduring burden in addition to any monetary penalty.

The Department of Health and Human Services Office for Civil Rights enforces the Health Insurance Portability and Accountability Act. A data breach involving protected health information — even if your business is a business associate of a covered entity rather than a healthcare provider itself — triggers HIPAA breach notification obligations and potential HHS investigation. HIPAA enforcement penalties can reach substantial amounts per violation, and HHS has pursued significant enforcement actions against organizations that were themselves victims of cyberattacks, on the theory that inadequate security controls constituted a HIPAA violation.

The Securities and Exchange Commission has authority over publicly traded companies and registered investment advisers. The SEC has been increasingly active in cybersecurity enforcement, and its 2023 rules requiring public companies to disclose material cyber incidents within four business days of determining that an incident is material have significantly raised the compliance stakes. Even private companies that are not SEC registrants may face SEC interest if a breach affects securities transactions or investor information.

Banking regulators — including the Office of the Comptroller of the Currency, the Federal Reserve, the FDIC, and state banking departments — have cybersecurity examination and enforcement authority over financial institutions. The Federal Financial Institutions Examination Council computer security incident notification rule requires banking organizations to notify their primary federal regulator within 36 hours of certain cyber incidents. A breach or significant cyber event affecting a financial institution can trigger examinations and enforcement actions from multiple banking regulators simultaneously.

State attorneys general have independent enforcement authority under state data breach notification laws and, in some states, comprehensive privacy laws. The California Attorney General enforces the California Consumer Privacy Act and the California Privacy Rights Act. States including New York, Massachusetts, Illinois, and Virginia have their own privacy and data security laws with enforcement teeth. After a significant breach, it is common for the attorneys general of multiple states to coordinate an investigation, with potential penalties multiplying across jurisdictions.

What Regulatory Defense Coverage in Cyber Policies Actually Covers

Most cyber insurance policies include a coverage component commonly referred to as regulatory defense and penalties coverage, or by similar names. At its core, this coverage is designed to pay two categories of cost: first, the legal fees and other defense costs incurred in responding to a regulatory investigation or defending against a regulatory enforcement action; and second, civil fines and penalties assessed by a government regulator, to the extent they are insurable under applicable law.

Defense costs coverage is the more straightforward of the two. When a regulatory agency opens an investigation, you will need legal counsel to advise you on the investigation, gather documents, prepare responses to information requests, and if necessary represent you in formal proceedings. Regulatory investigations can require enormous amounts of attorney time — a significant breach investigation by multiple state attorneys general can generate legal fees in the hundreds of thousands of dollars even before any penalty is assessed. Cyber policy regulatory defense coverage pays these fees, typically subject to a requirement that you obtain the insurer’s approval of the counsel you retain or use panel counsel approved by the insurer.

Civil fines and penalties coverage is more complex. Whether fines and penalties can be covered by insurance at all depends on the law of the state whose insurance law governs the policy and the nature of the fine or penalty. Some states expressly permit insurance coverage for civil regulatory penalties. Others limit or prohibit such coverage on public policy grounds, on the theory that allowing a company to insure against penalties would eliminate the deterrent effect of the penalty.

In practice, most cyber policies offer to cover civil penalties to the extent permitted by law, which effectively defers the question to applicable state law. For many common cyber-related penalties — such as those assessed by state attorneys general under breach notification laws for failing to provide timely notification — coverage is generally available in most states. For penalties assessed for willful or knowing violations of law, coverage is more likely to be excluded or unavailable as a matter of public policy.

What Cyber Policies Typically Do Not Cover

Understanding the exclusions and limitations in regulatory coverage is as important as understanding what is covered. Several categories of cost are commonly excluded or limited.

Criminal penalties and sanctions are not insurable and are excluded from virtually every cyber policy. If a regulatory action results in criminal charges — which is uncommon in the cybersecurity context but not impossible, particularly for serious data privacy violations or deliberate misconduct — the resulting criminal fines are not covered. Criminal defense costs are a separate matter; some policies provide limited coverage for criminal defense costs arising out of covered regulatory proceedings, but this is not universal.

Disgorgement, which is an equitable remedy requiring a defendant to give up ill-gotten profits rather than pay a punitive penalty, is generally not insurable as a matter of public policy. Regulatory agencies including the FTC and SEC have increasingly sought disgorgement in enforcement actions, and if disgorgement is ordered as part of a regulatory resolution, that amount will not be covered by your cyber policy.

Fines and penalties resulting from intentional violations of law are typically excluded. If a regulator finds that your company deliberately failed to provide breach notification in order to avoid reputational harm, or knowingly implemented a deceptive data collection practice, penalties resulting from those findings may fall within an intentional violation exclusion. This exclusion is significant because regulators often allege that violations were knowing or willful in order to support higher penalties, and the existence of such allegations can create a coverage dispute even when the business’s actual conduct was not intentional.

Pre-existing violations are also commonly excluded. If a regulatory investigation uncovers security practices that were inadequate before the current policy period began, and the penalties relate to that historical conduct, the insurer may argue that those penalties relate to a pre-existing condition not covered under the current policy.

The SEC’s Cybersecurity Disclosure Rules and Insurance

The SEC’s 2023 cybersecurity rules created significant new compliance obligations for public companies and new regulatory risk that intersects with cyber insurance in important ways. Public companies are now required to disclose material cyber incidents on Form 8-K within four business days of determining that the incident is material. They are also required to annually disclose their cybersecurity risk management, strategy, and governance in Form 10-K filings.

These disclosure requirements create regulatory exposure in two directions. First, a company that experiences a material cyber incident and fails to make timely disclosure faces potential SEC enforcement action. The SEC has already brought enforcement actions against public companies for inadequate or untimely cyber incident disclosure, including an action against SolarWinds and its chief information security officer arising from the 2020 supply chain attack. Defense costs for an SEC enforcement action are substantially covered under the regulatory defense provisions of a cyber policy, assuming the incident arose from a covered cyber event.

Second, even accurate and timely cyber disclosures can trigger derivative litigation or shareholder actions alleging that the company’s management mishandled cybersecurity or failed to disclose risks adequately. These civil claims may implicate directors and officers coverage as much as or more than cyber coverage, and understanding how your cyber and D&O policies interact in this scenario is important. A company facing simultaneous regulatory investigation and securities litigation after a cyber incident can find itself with multiple policies providing overlapping or conflicting coverage for the same events.

For private companies, the SEC rules do not directly apply, but the SEC’s regulatory framework may still be relevant. Investment advisers registered with the SEC, broker-dealers, and other SEC registrants face separate cybersecurity requirements regardless of their public or private status. Ensuring that your cyber policy’s regulatory coverage specifically addresses SEC enforcement is important if you are an SEC registrant.

State Breach Notification Law Enforcement and Coverage

Every US state now has a data breach notification law, and these laws are enforced by state attorneys general with varying levels of aggressiveness. A breach affecting residents of multiple states can trigger notification obligations under dozens of different state laws simultaneously, and failure to comply with those obligations — through late notification, deficient notice content, or failure to notify at all — can result in enforcement actions by multiple state AGs.

The most aggressive state enforcers have been California, New York, Illinois, and Massachusetts, though other states have become more active in recent years. Multi-state attorney general investigations following major breaches are common, with a coalition of AGs from multiple states coordinating their investigations and negotiating settlements collectively. These multi-state settlements can involve substantial monetary payments — major data breaches have resulted in multi-state AG settlements ranging from several million to hundreds of millions of dollars.

Cyber insurance regulatory coverage applies to these state enforcement actions in the same way it applies to federal investigations: defense costs are covered, and civil penalties are covered to the extent permitted by law. The multistate dimension of a regulatory response can significantly increase both the defense costs and the penalty exposure, and ensuring that your policy limits are adequate to cover a multistate enforcement scenario is an important part of the coverage adequacy analysis.

New York has enacted particularly significant legislation in this area. The SHIELD Act expanded New York’s data security requirements, and the NY SHIELD Act requires any business holding New York residents’ private information to implement a reasonable data security program, regardless of whether the business is located in New York. The New York Attorney General has brought enforcement actions against out-of-state businesses for breaches affecting New York residents. If you do business with customers in New York — which most businesses do — the NY SHIELD Act creates regulatory exposure that your cyber policy should be designed to address.

How to Report a Regulatory Investigation to Your Insurer

When you receive notice of a regulatory investigation — whether in the form of a formal civil investigative demand, a subpoena, an inquiry letter, or even an informal request for information from a regulatory agency — you should notify your cyber insurer promptly. Most cyber policies require notice as soon as practicable after you become aware of a claim or potential claim, and an official regulatory inquiry is almost certainly a claim or potential claim within the meaning of your policy.

The notification should include a copy of the regulatory inquiry itself, a description of the underlying incident that prompted the inquiry, and the dates on which the incident was discovered and on which the regulatory inquiry was received. Your insurer will use this information to evaluate coverage, assign a coverage attorney if applicable, and determine whether to approve the retention of defense counsel.

Documentation is critically important in regulatory investigation scenarios. Preserve all communications from the regulatory agency, all internal communications relating to the incident and the regulatory response, and all records of decisions made during the breach response. This documentation serves multiple purposes: it supports your insurance claim, it is the foundation of your legal defense in the regulatory proceeding, and it may be subject to document preservation obligations that arise once litigation or a formal investigation has commenced.

If you have legal counsel assisting with your breach response, that counsel should be notified immediately when a regulatory inquiry arrives. Counsel can advise on privilege issues, document preservation, and the coordination of your legal response with your insurance claim. The intersection of regulatory defense, insurance coverage, and attorney-client privilege is complex, and early involvement of counsel is essential.

The Interaction Between Regulatory Investigations and Civil Litigation

In significant data breaches, regulatory investigations and civil litigation frequently occur simultaneously. Class action lawsuits filed by affected individuals often follow quickly after a publicly announced breach, while regulatory investigations may proceed on a slower timeline. Managing these parallel proceedings requires careful coordination of legal resources, communications strategy, and insurance coverage.

From an insurance perspective, regulatory defense costs and civil litigation defense costs are typically covered by separate provisions within a cyber policy, and they may be subject to separate sub-limits. If your policy has a ten million dollar limit with a two million dollar sublimit for regulatory defense, and you face both a major class action and a significant multi-state AG investigation simultaneously, the sublimit on regulatory coverage could be exhausted before the investigation is resolved, leaving you to pay additional regulatory defense costs out of pocket.

The timing and sequencing of regulatory and civil proceedings also affects coverage. Admissions made in a regulatory settlement can be used against the company in subsequent civil litigation, and vice versa. Decisions about settlement strategy in the regulatory context therefore have legal implications beyond the regulatory proceeding itself. Your legal counsel and your insurer both have interests in these decisions, and their interests are not always perfectly aligned — the insurer’s interest is in minimizing total claim payments, while your interest is in the best overall outcome for your business, which may not always be achieved through minimum settlement.

Pre-Breach Regulatory Compliance as an Insurance Strategy

The most effective strategy for managing regulatory investigation risk is to reduce the likelihood and severity of regulatory problems through proactive compliance. This is relevant to insurance in two distinct ways: it reduces the probability that you will face a regulatory investigation at all, and it demonstrates to regulators — and to your insurer — that your business handled data responsibly, which affects both regulatory outcomes and coverage positions.

Implementing a documented data security program that is proportionate to the sensitivity of the data you hold is the foundation of data security compliance. A documented program provides evidence in a regulatory investigation that your company took security seriously and made reasonable efforts to protect data, even if those efforts were ultimately insufficient to prevent a breach. Regulators consistently treat organizations with documented, implemented security programs more favorably than organizations that cannot demonstrate any formal security practices.

Incident response planning is also an important compliance activity with direct regulatory implications. Most data security laws require notification within specific timeframes, and the ability to make timely, accurate notifications depends on having a tested incident response process. Regulators have specifically cited slow or inadequate incident response as a factor in enforcement decisions. A well-designed and tested incident response plan reduces both the risk of regulatory violation and the severity of any regulatory response.

Data minimization — collecting and retaining only the personal information you actually need for legitimate business purposes — reduces both your regulatory exposure and the potential damage from a breach. If your business does not hold data it does not need, a breach of your systems does not create the regulatory exposure associated with that data. Privacy laws in California, Colorado, Virginia, and other states impose specific data minimization obligations, and compliance with these obligations directly reduces the scope of potential regulatory penalty in the event of a breach.

What to Look for in a Policy When Regulatory Exposure Is Significant

For businesses that face significant regulatory exposure — because they hold large amounts of sensitive personal information, because they operate in heavily regulated industries, because they serve consumers in states with aggressive privacy enforcement, or because they are SEC registrants — several specific policy features deserve particular attention.

Sub-limits on regulatory coverage are one of the most important issues to evaluate. Many cyber policies impose sub-limits on regulatory coverage that are substantially lower than the overall policy limit. A policy with a ten million dollar overall limit and a one million dollar regulatory sublimit may be inadequate for a business that faces significant multi-state enforcement exposure. Understanding the sub-limits that apply to regulatory coverage and ensuring they are adequate for your specific exposure profile is an essential step in the coverage adequacy review.

The geographic scope of regulatory coverage matters for businesses that operate nationally or internationally. Some policies limit regulatory coverage to proceedings in the United States, or to specific listed regulatory bodies. If your business is subject to European data protection regulation, including GDPR, or to the laws of non-US jurisdictions, you need to verify that your policy’s regulatory coverage extends to those jurisdictions.

The definition of regulatory proceedings covered by the policy should be reviewed carefully. Some policies define regulatory proceedings narrowly, covering only formal enforcement actions after charges have been filed. Others cover informal investigations from the outset, including responses to regulatory inquiries and civil investigative demands before any formal proceeding has commenced. The costs incurred in the early investigative phase can be substantial, and coverage that kicks in only after formal charges are filed may leave a significant gap.

Finally, consider the relationship between your cyber policy’s regulatory coverage and other policies in your insurance program. Directors and officers policies, employment practices liability policies, and professional liability policies may also provide defense coverage for regulatory investigations depending on the nature of the investigation. Understanding how your policies interact — which one responds first, whether they coordinate or conflict, and how their combined limits apply to a major regulatory event — is essential for making sure your overall insurance program adequately addresses your regulatory risk exposure. Working with legal counsel who understands both insurance and regulatory compliance is the most reliable way to navigate this complexity.