A cyber security attack can have enormous ramifications for your company. Not only might you be liable to pay compensation claims to your clients following a breach, but you may have to spend significant sums on repairing the damage, recovering the data and re-securing your networks. On top of that, if customers lose confidence in you, the damage done to your reputation may lose you even more business down the line.
Cyber insurance, sometimes known as cyber liability insurance, can cover your financial losses and help you handle any bad press following a cyber security attack. This guide will take you through the ins and outs of cyber insurance including:
- What is cyber insurance?
- What does cyber insurance cover?
- Who needs cyber insurance?
- How much does cyber insurance cost?
- How much cover do I need?
- How to find a cyber insurance provider
- Things to consider before purchasing a policy
- Final thoughts & FAQs.
What is cyber insurance?
One of the biggest risks for any business today is a digital risk. Having an online presence, carrying out transactions online, or even just storing data, files and records on computer systems, opens you up to cyber risks. Whether someone hacks your website for a few hours or your network systems are down for a few days, you could be facing substantial reparation costs together with a loss of income from your company’s downtime. Cyber insurance is designed to protect you against digital business interruption, covering the costs of repairing vulnerable systems and can provide you with expert advice on how to deal with a security problem.
Cyber insurance works similarly to other kinds of business insurance. If your business premises suffered a physical problem preventing business operations from taking place, your usual business insurance package would typically cover you against your loss of income as well as the costs of sorting out the problem.
Should anything happen to your business’ information technology infrastructures, website, emails or other servers or networks, cyber insurance exists to cover you for these issues. Cyber insurance can cover both first-party and third-party costs for financial and reputational damage repair if data is lost, damaged, corrupted or stolen.
What does cyber insurance cover?
Broadly, cyber insurance covers first and third parties for damages of a financial and/or reputational nature as result of a cyber-attack.
First party cover
The first party refers to your business, the company who has suffered the attack. Cyber insurance can cover the first party with costs to do with:
- investigating the cybercrime
- recovering any data lost in a security breach
- loss of or damage to digital assets, whether that’s data or software programmes
- theft of money or digital assets through electronic theft
- restoring computer systems, networks and security
- loss of income incurred by the business during network downtime, known as business interruption
- managing the business’ reputation following an incident
- any extortion payments demanded by hackers
- notifying customers of a privacy breach where there is a legal or regulatory requirement to do so.
An extensive cyber policy can also include even further cover, such as education and cyber security training for employees to prevent further cyber attacks, following an incident. Employees must receive regular, up-to-date training on cyber security, as the field evolves rapidly, continually presenting new security risks for a company.
Third party cover
The third-party refers to anybody adversely affected by the breach, which is usually your customers. For instance, a hacker may access your customers’ personal data, in which case you may be liable to pay compensation to your customers, or other damages.
Insurance can cover you for these damages and settlements, as well as the cost of legally defending yourself against claims of a GDPR breach (in most policies, GDPR coverage is additional).
Additional cover
Sometimes, a cyber insurance policy can help with incidents relating to your company’s computer systems or data, even if there isn’t a link to cybercrime. Events typically included under your cyber insurance policy are:
- system failure. If your computer system fails but not as a result of a malicious attack, you may still receive cover from your cyber policy. Reasons might be a power cut, natural disaster or overheating. You may be able to claim for repair costs and system restoration, too
- copyright infringement. Companies with a digital presence may inadvertently infringe copyright laws, perhaps by using an image without the correct permission. Some insurers can provide cover for these incidences if someone makes a claim against your company
- hardware or devices. If devices used by your company are damaged, lost or stolen, you may be able to receive a payout from your insurer. Devices may include laptops, phones or storage devices.
Who needs cyber insurance?
Nowadays, almost all businesses rely on data they store, save or send. If your day-to-day business activities rely on information technology infrastructure in any capacity, you could be vulnerable to cyber-based risks, which may result in financial or reputational loss.
For start-ups and multinational businesses alike, a cyber breach can be devastating. Already in 2020, there have been several notable cyber security incidents. EasyJet was the victim of a sophisticated cyber attack in May (2020), a breach which affected over 9 million customers.
Not only do cyber liability policies offer financial security, but they can also provide much-needed support following an incident, helping your company get back on its feet after a severe breach. For smaller companies, this experience and advice can be invaluable when it comes to recovering from a cyber attack.
Some sectors where companies commonly take out a cyber insurance policy include those in the accountancy, advertising, consultancy, education, law, publishing, recruitment, technology, telecoms and transport industries. However, it can be relevant to almost any company using computing technology. It’s particularly worth considering a cyber insurance policy if your business does any of the following:
- holds sensitive customer details, such as names, addresses or bank details
- relies heavily on its IT infrastructure to operate
- relies on their websites to conduct their business
- processes payment card information as part of its daily business activities.
The costs of a cyber attack can quickly mount up. There may be a whole host of expenses that you hadn’t considered when it comes to a simple data leak or information theft. Not only are digital assets costly to recover, but you need to factor in compensating third-parties for any data protection breaches. Add to this the cost of reinstating security or implementing new security measures, as well as taking into account the revenue you may have lost during the time your business is recovering, cyber insurance has become a necessity for many businesses.
To figure out how much a breach could cost you, you can use an online cyber risk calculator to see how much a cyber breach could cost your business.
The Mondelez and Zurich case
Cyber insurance has grown in popularity in recent years. One particularly prominent case has shaped the way companies and insurers view cyber insurance. It has been cited as a factor for why many companies are now seeking robust, standalone, cyber-specific policies. Before, many companies had assumed that their general non-cyber specific policies could cover them for financial and reputational losses related to a cyber incident.
In June 2017, Mondelez International, owner of Oreo and Cadbury, fell victim to the NotPeya ransomware attack. Mondelez is one of the largest companies in the US by market capitalisation, and after the attack affected around 1,700 of its servers, irreparably damaging over 24,000 laptops, Mondelez suffered losses estimated at a staggering $100 million (about £81 million). Fortunately, or so they thought, Mondelez had a comprehensive all-risk property insurance policy with Zurich.
However, Zurich denied their claim based on a clause excluding any loss or damage resulting from a ‘hostile or warlike action’, as links found served to suggest that NotPeya was part of an attack from Russian hackers on the Ukrainian government.
Mondelez subsequently tried to sue Zurich for its refusal to pay out for the claim. Mondelez claimed Zurich had breached its contractual obligations, failed to honour promises and had conducted business in bad faith. The case attracted a lot of attention as it was the first serious legal dispute of its kind over the extent to which companies can recover the costs of a cyber attack. It has prompted many insurance companies to tighten their definitions and wording in their policies and exposed an urgent need for businesses to reassess their levels of insurance and consider a standalone cyber-specific policy.
How much does cyber insurance cost?
There are several factors which affect the cost of cyber insurance. The higher a business’ annual revenue, the more the insurance will cost. Other considerations include the industry in which a company operates, as some sectors are significantly more vulnerable to cybercrime. The type of data stored by the company also plays a role – more sensitive data tends to require higher coverage. Finally, the level of network security your company has will affect how much you pay for insurance.
You may be able to lower your premiums if you can prove to your insurer that you have taken steps to mitigate your risk. Some insurance providers even require evidence of this before they will consider insuring you. Proof can be any of the following:
- showing you have implemented security measures such as anti-virus and malware software, you can also carry out a cyber security risk assessment
- demonstrating that your employees receive regular education and cyber security certifications, to ensure all the company employs best-practises to minimise the risk of cyber attacks or security breaches
- showing that you having reactionary policies in place. This includes monitoring, notification and alarm systems to alert you to an incident as soon as it happens
How much cover do I need?
Most cyber insurance policies available for SMEs offer between £100,000 and £5 million of cover. Most smaller businesses opt for plans that have around a £1 million limit. Larger firms with a higher risk can arrange significantly higher cover to reflect their increased risk, for example, if they handle a large amount of credit card transactions or store a significant amount of sensitive information.
How much cover you need will depend on the type of company you are and in which industry you operate. Almost all companies that operate digitally or online will need network security coverage, which typically includes the cost of data breaches to third parties, theft of intellectual property, extortion and other system or network failures. This part of the insurance policy tends to be relevant for almost any company storing sensitive information in a network or system.
Privacy liability coverage offers protection for other vulnerabilities, such as human error or theft of devices, or eventualities that don’t come under an explicitly malicious attack. This part of a cyber insurance policy also covers the costs related to notifying third-parties of a breach and can help with regulatory fines and recovery costs, usually including forensic investigation following a cybercrime attack.
Media liability coverage is the last aspect of a policy, which may nor may not be relevant to your business. Events covered by media liability include copyright and trademark infringements, which may be an issue if you use pictures on your website, social media or in your marketing. Media liability coverage can also cover malicious defacement of a website and libel.
How to find a cyber insurance provider
Finding a cyber insurance policy can seem like a daunting task, particularly if you have no dealings with the cyber side of your business. Fortunately, whichever route you take to finding a policy, you can seek advice along the way. You can either buy a standalone policy directly from an insurance provider through one of their sales advisers or choose to go through a broker.
Going direct
More and more insurance providers are offering a cyber insurance policy. Usually, you can purchase a standalone cover to secure your business against all manner of cyber-related risks. However, it may be cheaper and more convenient, particularly for smaller companies, to add this cover onto an existing policy or include it in part of a package insurance deal.
Comparison websites
Approaching multiple insurance providers can be time-consuming. It’s hard to know where to start, and while one company may appear cheaper, you may find they lack certain features offered by other providers.
Going through a broker
Alternatively, you can buy a cyber insurance policy through a broker. Brokers often have access to better deals than customers who approach insurers directly, both in terms of price and coverage. You can also find many brokers who specialise in cyber risk insurance through the British Insurance Brokers’ Association (BIBA). Opting for brokers listed here ensures their credibility in the field, demonstrating that they uphold exacting industry standards.
Things to consider before purchasing a policy
With so much variation in policies, it can be challenging to purchase the right plan for you. It’s a good idea to come armed with some knowledge of what policies can and cannot cover, so you get the right protection. Consider the following points before you begin:
- Does the policy include human error and non-malicious attacks?
- What are the deductibles? The excess for a cyber insurance policy can be around £1,000.
- Does your coverage and policy limits extend to third-parties? This is a particularly important aspect for any businesses with a large customer or client-base.
- How long does the policy last? Some companies do not find out that they have been the victim of a cyber attack for years. If you discover a security breach seven years down the line, will your policy cover you? If not, you could face the compensation, reparation and notification costs alone.
- Does your policy cover your company globally? Digital breaches can happen from anywhere in the world – make sure your cover reaches as far as your digital presence.
- If income protection is a large part of your policy, at what point does it kick in? Some policies start from hour zero of discovery – others won’t cover you for income losses until 12 hours after the event.
These questions are helpful to keep at hand when comparing policies. It’s a good idea to ask the same questions to your providers when you’re considering their insurance – if your responses don’t match up, it may be worth looking elsewhere.
Final thoughts & FAQs
Cyber threats are quickly becoming one of the largest and fastest-growing risks for governments and companies alike. Not only are cyber attacks devastating for business operations and costly to repair, they usually have expensive ramifications for a business’ compliance with laws and regulations surrounding customers’ sensitive data.
For many businesses, the biggest threat of a cyber risk comes from the fact that the cyber security risk environment changes on an almost daily basis. For many companies, it can be near impossible to keep up with the latest threats. Even for larger companies with dedicated cyber security teams, it’s never possible to guarantee your company’s security entirely. If the worst happens, cyber insurance can help to ensure that you’re back in business as soon as possible.
What’s the difference between cyber insurance and data breach insurance?
While cyber insurance can cover a business against all kinds of cyber risks, covering both financial and reputational damages, data breach insurance typically refers specifically to monetary cover. The latter is purchased by organisations to protect their economic interests, should a data loss or theft occur. In the UK, the two terms tend to be used interchangeably.
What about personal cyber insurance?
Individuals can also take out a personal cyber insurance policy with some providers. This kind of policy covers the individual for the replacement or repair of their personal computer, laptops, tablets, mobile phones or other hardware as well as their own programs, following cyber theft or hacker damage. A personal cyber policy can also help recover digital data, including pictures and videos if they have been damaged or corrupted by a hacker.
A few providers can offer personal cyber insurance as a standalone policy; however, for most insurers, personal cyber cover exists as an optional add-on to a home insurance policy.
What’s the difference between cyber insurance and internet liability insurance?
Internet liability insurance protects businesses from liabilities that comes from conducting business over the internet. It can cover copyright infringement, defamation or violation of privacy. Cyber insurance refers to a more comprehensive cover, typically extending cover to third-parties and covering malicious cyber attacks and the related costs. Cyber insurance can also offer cover for any income lost due to business interruption or other financial ramifications of a cyber attack.