Cyber insurance has existed since the 1990s, yet far too many companies still choose to ignore it, putting themselves at potentially enormous risk.
According to the latest figures from the Association of British Insurers (ABI), just 11pc of businesses in the UK have a specific cyber insurance policy, yet the Government’s Cyber Security Breaches Survey 2019 reveals that 32pc of domestic businesses have suffered cybersecurity attacks in the past 12 months.
So why does take-up of cyber insurance remain alarmingly low at a time when the evidence suggests that SMEs are under greater threat of a cyberattack than ever before?
Part of the problem is in understanding the complexities that exist in many cyber insurance policies.
The aftermath of a cyberattack can cause damage to a company’s reputation, loss of earnings from business interruption and can have financial and legal implications.
Whether you have a small start-up or run a large corporation, cyber liability insurance can help you to remain on top of cyber threats as well as potentially minimising the damage of the breach. You may feel that your business is well-protected from cyber-criminals, or perhaps that your business is too small for them to target, however, as the techniques used by hackers become more sophisticated you could be leaving yourself at risk from a cyber-attack. This guide will help explain the ins and outs of cyber liability insurance and help you choose the right level of cover for your business.
Cyber and data risks insurance, also known as cyber liability insurance, is designed to support and protect your business if it experiences a data breach or malicious cyber hack that affects its computer systems. It also covers the losses relating to damage to, or loss of information from, IT systems and networks. As a business of any size, it is likely you will rely on information technology (IT) infrastructure to some degree. If so, you will be exposed to the risks of business interruption, income loss, damage management and repair, and possibly reputational damage if IT equipment or systems fail or are interrupted.
Cyber insurance is designed to protect businesses from internet-based risks and, more generally speaking, risks relating to information technology infrastructure and activities. It can also help you to limit the damage caused by a successful attempt to access your business data. Cyber liability policies can offer support such as data recovery and business interruption cover which can help you to get you back on your feet in the event of a cyber-attack.
Making the business case for cyber insurance
Any organisation that stores and maintains customer information or collects online payment information, or uses the cloud, should consider adding cyber insurance to its budget. Also, consider the proliferation of devices that now connect to business networks.
Attacks against all business are increasing. Small businesses tend to think they are safely tucked away from exposure, but Symantec found that over 30% of phishing attacks in 2015 were launched against organisations with less than 250 employees. Symantec’s 2016 Internet Security Threat Report indicated that 43% of all attacks in 2015 were targeted at small businesses.
On a larger scale, the Centre for Strategic and International Studies in 2014 estimated annual costs to the global economy from cybercrime was between $375 billion and $575 billion. Although sources differ, the average cost of a data breach incident to large companies is over $3 million. Each organisation has to decide if they can risk that amount of money, or if cyber insurance is necessary to defray the costs for what very well may occur.
Remember, cyber insurance covers first-party losses and third-party claims, but general liability insurance covers only property damage. Sony was caught in that situation after the 2011 PlayStation hacker breach; with hard costs reaching £150million that could have been offset by cyber insurance had the company made certain that it was covered ahead of time. During a court case, Zurich Insurance Company said that Sony’s policy only covered physical property damage, not cyber damages.
A UK Government survey estimated that in 2014 81% of large corporations and 60% of small businesses suffered a cyber breach. The average cost of a cyber-security breach is £600k-£1.15m for large businesses and £65k-115k for SMEs. It views cyber-attacks as a highest level risk to national security, alongside terrorism threats. As such it has introduced a number of changes to help prevent cyber-attacks, including:
- Cyber Essentials – a basic cyber security hygiene standard to help organisations protect themselves against common cyber attacks.
- A National Cyber Crime Unit within the National Crime Agency.
- A ‘Cyber Information Sharing Partnership’ to allow Government and industry to exchange information on cyber threats.
- A single reporting system for people to report financially motivated cybercrime through Action Fraud, a UK National Computer Emergency Response Team (CERT) to improve national co-ordination of cyber incidents.
- A new Cyber Incident Response scheme in GCHQ to help organisations recover from a cyber security attack.
- A network of Centres of Excellence for Cyber Security Research within UK universities in 2013, to help provide reliable and up to date research and academic prowess.
Following the result of the Survey, the Government launched Cyber Essentials – a basic cyber security hygiene standard to help organisations protect themselves against common cyber-attacks. Considering Cyber Essentials accreditation is a good first step in becoming cyber resilient.
Do I need Cyber Liability insurance?
If your business handles sensitive customer data such as names, addresses, or banking information, or you are reliant on computer systems to conduct your business, you should be protecting your customer data as this could be compromised in the event of a security breach.
Some people feel that their business is too small to warrant investing in cyber liability insurance; however, according to a report by the Federation of Small Businesses, two-thirds of their members were victims of cyber-crime between 2014 and 2016. Our cover is designed for businesses with an annual income of up to £10 million, meaning that it can be tailored to suit your needs even as a small business.
Most importantly, you need protection against the financial loss that you will suffer if your customers’ personal identifiable information (PII) is lost, stolen or leaked. From April 2018, the General Data Protection Regulation (GDPR) means a company can be fined up to €20 million or 4% of its turnover (whichever is the higher figure).
As small businesses become more reliant on technology and hold more data, they are increasingly becoming the target of cyber criminals. In fact, 1 in 3 UK small businesses have fallen victim to cybercrime. When it comes to cyber security, cyber insurance is a key way to ensure your back is covered should the worst happen.
If your business is targeted by a hacker or suffers a data breach, it takes time and money to fix. This can disrupt your business, lead to lost revenue, a damaged reputation and regulatory fines.
What does Cyber Insurance cover you for?
Cyber liability insurance has been designed with both large and small businesses in mind and protects you against the financial and reputational costs of a cyber incident. Typical overs include:
Current and future cyber risks: It protects your business against common cyber threats, such as ransomware, and also against new techniques that criminals could use in the future.
GDPR investigations: Insurers will pay to defend and settle claims made against you for failing to keep customers’ personal data secure, or for allegations of non-compliance with GDPR. They will also pay the costs associated with regulatory investigations and settle civil penalties levied by regulators where allowed.
Free staff training: 66% of incidents arise from human error. Some insurers can provide you with GCHQ certified training in order to make you less likely to be the victim of an attack.
Business interruption: Covers the cost of getting your business back to normal and compensation for loss of income, including where it is caused by damage to your reputation.
Reputation protection: In the event of a data breach, prompt, confident communication is vital to keeping a company’s reputation in-tact. Insurance companies will provide PR and crisis management with a leading public relations firm; from developing communication strategies to running a 24/7 crisis press office.
Extortion: If a hacker holds your systems or data to ransom, or threatens to publish information, they cover the ransom you have paid and the services of a leading risk consultancy firm, to help manage the situation.
Data breaches: Where personal data (electronic or otherwise) is accessed without permission, most insurers offer practical support like forensic investigations, legal advice, notifying customers or regulators. They can also help with credit monitoring for your affected customers.
Human errors: When mistakes made by staff or suppliers result in a data breach.
System damage: Insurers will reimburse you for the costs of repair, restoration or replacement if your computer network, systems, website or electronic data are damaged by a hacker, virus or cyber-attack.
Financial crime and fraud: When cyber criminals use the internet to steal funds, impersonate your business or deceive employees into transferring money or goods.
Property damage: Where an incident has caused physical damage to equipment or property, most insurers cover the costs to repair or replace these.
Dependent business interruption: Where there is a loss of revenue or increased costs incurred when a supplier’s systems are taken offline by a cyber incident.
Managing Cyber Risks
As well as putting adequate insurance in place, it is important for you to manage your own cyber risks as a business. This includes:
- Evaluating first and third party risks associated with the IT systems and networks in your business.
- Assessing the potential events that could cause first or third party risks to materialise.
- Analysing the controls that are currently in place and whether they need further improvement.
- Regular training for staff – Hacking techniques are developing all the time and it is important that staff are kept up-to-date with the latest threats to keep an eye out for.
- Data encryption – This is different to having a password: it scrambles the data on a hard disk so that it can only be accessed with a decryption key.
- Storing portable devices at work – Limiting the chance of laptops or tablets being left in public can help to reduce the risk of hacking due to the loss of a device or memory stick.
- Keeping up with legal changes – It is important that you stay up-to-date with any changes in the law to ensure that your insurance does not become invalid without your knowledge.