A breach is not just an IT problem. It is a contract and recovery problem.

A serious cyber event can put pressure on revenue, customer trust, contract compliance, privacy duties, and response costs at the same time. The issue is rarely one invoice; it is the stack of business interruption, legal counsel, forensics, notification, vendor recovery, social engineering loss, and contract fallout. Cyber liability insurance does not prevent the attack. It helps fund the recovery plan that keeps the business operating.

The Texas Data Privacy and Security Act (TDPSA) became effective July 1, 2024. The Act applies to businesses that conduct business in Texas or produce products or services consumed by Texas residents, and that meet processing thresholds. The Texas Attorney General has exclusive enforcement authority. Civil penalties can reach 7,500 dollars per violation, with each affected consumer counting as a separate violation. A 30-day cure period applied before January 1, 2025, but expired on that date. The Texas Attorney General filed the first TDPSA lawsuit on January 13, 2025, against Allstate Corporation and five Arity subsidiaries, claiming over 1,000,000 dollars in monetary relief. Investigations now affect over 100 companies. Texas Data Broker Law penalties stack at 100 dollars per day with a 10,000 dollar 12-month maximum and constitute deceptive trade practices under the Texas DTPA. Cyber liability policies typically respond to TDPSA defense and indemnity within the regulatory defense and fines sub-limit.

Modern cyber liability policies split coverage into first-party and third-party sections. First-party coverage pays your costs after an incident: incident response and forensic investigation, legal counsel, ransom payment (subject to OFAC and carrier approval), business interruption income loss during recovery, system restoration and data recovery, breach notification to affected individuals, credit monitoring for affected individuals, and public relations crisis response. Third-party coverage pays liability arising from the incident: privacy liability for failure to protect personally identifiable information, network security liability for transmission of harmful code or denial-of-service, regulatory defense and fines (including TDPSA penalties to the extent insurable), payment card industry (PCI) fines and assessments, and media liability for content published online. Optional endorsements add social engineering fraud (wire fraud and invoice manipulation), reputational harm, contingent business interruption for vendor outages, and cryptojacking.

Cyber loss cost varies by incident type, revenue, downtime, data type, payment-card exposure, vendor dependency, and contract obligations. Ransomware, business email compromise, privacy notification, forensic investigation, legal counsel, customer churn, and interrupted operations can stack together quickly. The McDade Cyber Liability Review does not pick a limit from a headline number; it maps first-party and third-party limits to how your business actually operates.

First-party cyber coverage pays your business's own costs after a cyber incident. These include forensic investigation to determine what happened, legal counsel during the incident, ransom payment if you elect to pay and the carrier approves under OFAC restrictions, business interruption income loss while systems are down, system restoration and data recovery, breach notification expense to affected individuals as required by Texas Business and Commerce Code Chapter 521, credit monitoring services for affected individuals, and public relations crisis response. Third-party cyber coverage pays liability from claims brought against your business by others. These include privacy liability lawsuits for failure to protect personally identifiable information, network security liability for transmitting harmful code or causing a denial-of-service condition, regulatory defense and fines (including Texas Attorney General TDPSA actions), Payment Card Industry assessment defense, and media liability for online content. A complete cyber program carries both first-party and third-party limits, often with separate sub-limits per coverage line.

Most cyber liability policies include cyber extortion coverage that can fund a ransom payment, subject to carrier consent and U.S. Treasury Office of Foreign Assets Control (OFAC) compliance. OFAC publishes a Specially Designated Nationals list, and any ransom payment to a sanctioned actor or jurisdiction can produce significant federal penalties even where coverage exists. The U.S. Treasury has explicitly warned that paying ransoms to sanctioned actors violates federal law regardless of insurance coverage. Carrier consent is required before payment. The decision to pay or not pay is strategic and rarely simple. Research published in 2025 shows that 69 percent of businesses that paid a ransom were attacked again, and 82 percent who paid received less than the original demand. Many Texas businesses that experience ransomware now choose not to pay because of repeat-attack risk and OFAC complexity, and instead use cyber liability coverage for system restoration and business interruption.

Social engineering coverage, sometimes called funds transfer fraud, social engineering fraud, or computer fraud, covers loss from fraudulent transfer of money or securities caused by deception. Common scenarios include the fake CEO email, the changed vendor invoice, and the fake contract amendment requesting a funds transfer. This coverage is often handled by a specific cyber endorsement or sub-limit, and it may not be handled by crime, general liability, or property policies. McDade checks the wording because social engineering is one of the easiest cyber gaps to miss.

Texas Business and Commerce Code Chapter 521, the Identity Theft Enforcement and Protection Act, requires businesses that own, license, or maintain sensitive personal information about a Texas resident to notify affected individuals as quickly as possible after discovering a security breach involving that information. Notification must occur within 60 days of breach discovery. Notification to the Texas Attorney General is required for breaches affecting 250 or more Texas residents. Penalties include civil penalties up to 50,000 dollars per violation imposed by the Texas Attorney General, plus separate notification cost obligations to affected consumers (typically credit monitoring for one year). Cyber liability policies typically cover the notification process, the credit monitoring expense, and the regulatory defense costs associated with Chapter 521 violations within the privacy regulatory sub-limit.

The McDade Cyber Liability Review is an audit of your existing cyber liability policy by Dallas Downey, CLCS, with the McDade commercial team. The review evaluates four primary areas specific to Texas businesses. First, the limit structure across first-party and third-party coverage lines against your operational exposure (annual revenue, employee count, sensitive data volumes, PCI scope). Second, the TDPSA regulatory defense and fines sub-limit against your Texas Attorney General exposure (which now scales at 7,500 dollars per affected consumer). Third, the ransomware and business interruption coverage including the waiting period, the period of indemnity, and the OFAC compliance language. Fourth, the social engineering fraud coverage and the sub-limit, which is the most common Texas commercial cyber gap and the most common Texas commercial cyber loss. About 40 percent of the time the review confirms the current carrier and policy structure are correct. The other 60 percent identifies sub-limit shortfalls, exclusion gaps, or carrier restructuring opportunities.

The cyber lineage in Charles's family runs to Houston, 1997. The late Douglas Finley, Charles's grandfather, founded Naknan Inc., a Houston Clear Lake area endpoint security and information technology services company. Naknan operated in Houston's NASA corridor at 1300 Bay Area Boulevard for over two decades, providing endpoint security, patch management, IT services, software engineering, and network security products to commercial and government clients. The flagship product was a security software platform called Security Assistant. Naknan held federal 8(a) Small Disadvantaged Business certification and was minority-owned and woman-owned. Charles grew up understanding that cybersecurity is not abstract, it is what working families build businesses around in Houston. The McDade Cyber Liability Review carries that family understanding of cyber risk into the broker's chair. Cyber liability insurance does not prevent the attack. Cyber liability insurance, paired with appropriate security controls, prevents the closure that follows the attack.

Dallas Downey, CLCS leads the McDade commercial insurance team including Cyber Liability. Dallas holds the Certified Lines Coverage Specialist designation and routes commercial conversations through a dedicated commercial meeting calendar. Charles McDade reviews cyber policies alongside Dallas, drawing on the family background in endpoint security and information technology services through Naknan Inc. The McDade office serves the Houston metropolitan area including Spring, Klein, Tomball, Cypress, The Woodlands, Conroe, Humble, Katy, and Bridgeland, plus all of Texas through Premier Group Insurance carrier access including 50+ top Texas carriers we know well. McDade Insurance Brokerage Group is licensed by the Texas Department of Insurance (Texas License 2539471). Schedule a commercial review through the commercial routing on this page or call the McDade office at 281.378.5002.

There is no universal correct limit. The starting point is operational exposure measured across annual revenue, employee count, sensitive data records held, PCI cardholder data scope, and contract-required minimums from your largest clients. For Texas small businesses under 50 employees with no PCI scope and limited sensitive data, 1,000,000 dollars combined first-party and third-party is the floor and 3,000,000 dollars is common. For Texas mid-size businesses with 50 to 500 employees, 3,000,000 to 10,000,000 dollars is the typical range. Healthcare, financial services, and any business handling significant PCI or PHI scope typically requires 5,000,000 to 25,000,000 dollars or more. Contract requirements from large general contractors, healthcare facilities, and government clients increasingly mandate specific cyber minimums in the 2,000,000 to 5,000,000 dollar range. The McDade Review evaluates the limit against your specific operational and contract exposure.