Cyber insurance, also known as cyber liability insurance or cybersecurity cover, is a policy which provides financial protection and expert support to help recover from a cyberattack or data breach. It can provide the necessary financial resources to cover your legal liabilities, pay ransomware demands, cover your loss of profits, pay expenses such as incident response, forensic investigations, legal fees, public relations costs, customer notifications, and potential regulatory penalties.
A policy can provide protection against a wide range of cyber risks that businesses face in the digital age. These include but are not limited to data breaches, malware attacks, phishing scams, ransomware, denial-of-service attacks, network disruptions, employee actions, social engineering fraud, mistakes, negligence, IT failures, and vendor failures. Understanding the breadth of coverage offered by cyber insurers is crucial for companies seeking comprehensive protection.
A comprehensive policy will help businesses safeguard their finances, ability to operate, and reputation, by providing financial protection and resources to navigate an attack or data breach. The cover can mitigate against the devastating consequences of cyber criminals that seek to profit from a cyber threat or ransomware attack.
It is commonly accepted that all businesses require protection against a wide range of digital threats. These may include legal expenses, theft of personally identifiable information, unauthorised access to sensitive data, reputational damage, and costs associated with regulatory compliance and breach notification.
In addition, policies can provide access to specialist incident response services, which is invaluable to reduce the exposurers associated with malicious software, criminal extortion, and sensitive data leaks. By addressing these risks, a policy can provide companies with a safety net against the impact and financial consequences.
The cover can protect against a wide range of damages awarded that result from data breaches, attacks, unauthorised data access, loss of sensitive information, and other forms of malicious or accidental incidents. If sensitive or confidential information is disclosed without permission, the entity responsible for securing that information may face significant financial liabilities for failing to protect it. It is becoming increasingly important if you are contracted to provide a service or software solution, that you maintain network security and privacy liability alongside professional indemnity insurance.
Means a failure of computer security to prevent unauthorised access, or the transmission of malicious code, that results in a liability claim.
Means an actual or alleged loss of all data that can identify a natural individual, otherwise known as personally identifiable information.
Means an actual or alleged loss or unauthorised disclosure of third party information which you are legally required to maintain in confidence.
Otherwise known as network security and privacy liability insurance, it provides cover for your legal liabilities arising from damages and defence costs from third party claims arising from a network, information or privacy breach. For example, it can offer protection from your legal liabilities in failing to prevent an individual's personally identifiable information being stolen or inadvertently transferring harmful malware to a third-party which causes them a financial loss. This coverage is being more commonly requested under contract to ensure that if there is an incident, they have the ability to seek damages.
Otherwise known as breach response, this section will generally respond to all of the costs involved in immediately responding to an incident. A policy can include IT security, forensic investigation, legal advice in relation to breaches of data security, and the costs associated with having to notify individuals that have had their information stolen under data protection laws (i.e., GDPR). The incident response section of a policy provides access to experts as well as paying for their services. This is one of the most important protections provided under a policy because it provides access to the right specialists without any delays. Please note the most important decisions are made within the first 24 hours after an event.
Will respond to fraudsters attempting to extort money by threatening to carry out an attack or threatening to expose/destroy information having already compromised the network. A policy will pay the ransom demanded to stop a data leak and restore your systems. The two most common types of extortion are ransomware and DDoS (Distributed Denial of Service) attacks. These types of claims against policies have been on the rise over the past couple of years with businesses increasingly targeted by criminals because they expect cover to respond in the event of an extortion attempt.
Can indemnify you for the loss of profits and increased costs because of a security breach. There is usually a 12-hour waiting period as a deductible, then during the time you are unable to trade the policy will reimburse your loss of net profit and increased costs. This section aims to reimburse the business for the difference between the typical income of the business and the reduced generated income during the shutdown caused by a cyber event. The purpose of business interruption cover is to soften the blow of the losses incurred when a business cannot operate due to a covered loss. The insured shall not profit from the business interruption section.
Protects against third-party claims arising out of defamation or infringement of intellectual property rights. Claims will typically arise from communicating, reproducing, publishing, disseminating, displaying, releasing, transmitting, or disclosing media content, including social media. It can also include infliction of emotional distress, or other tort related to disparagement or harm to the reputation or character. The media section started out in cyber policies to offer protection in respect of online content only, but as policies have broadened over the years, it’s not uncommon for full media cover to be provided.
Provides for the costs of electronic data or computer software to be repaired and restored in the event computer systems are damage from an attack, often critical in getting the company operating again. Additionally, it can typically provide for the legal costs and expenses to defend the business in a regulatory proceeding. Plus indemnify regulatory fines and penalties imposed by a government or regulatory body because of a security breach, where permitted by law.
Typically, policies can be separated into:
Third-party cover is commonly requested by clients under contract to ensure they can seek compensation against your business because of a breach or attack where you are legally liable.
Provides financial protection from a fraudulent taking, or appropriation of money, securities, or property (third-party, employee, or to the deprivation of a client).
Every business, not just technology companies are exposed to cyber risks and should consider a policy to mitigate their threats. As criminals become more sophisticated and the technology you use becomes more connected, so do the threats of financial harm. We've identifed some objections about the need to arrange coverage and want to challenge some of the assumptions:
Our network is hosted by a third-party provider - Whether or not you outsource any services to third-party providers, any data breach will be your responsibility and your ability to recoup costs from such third-party may be limited.
We don’t process or hold sensitive data - Considering the extended scope of GDPR, most business will now hold personal information (i.e. email address) on their customers, note this doesn’t need to be credit/debit card details.
Our computer system has high security - No system can ever be 100% protected, no matter the levels of security controls embedded. Good risk management promotes risk transfer as a valuable mechanism for an unforeseen events.
Cyber-attacks only occur at large corporations - Large recognisable brands can make the news, but insurer’s claims experience shows that criminals will not discriminate against small to medium sized businesses, especially with lessor controls.
There are various factors we discuss below that can impact insurers perception of your cyber exposure. Underwriting your application is a subjective process and each insurer will take an individual view to calculating your premium. However, the below guide should provide some helpful information to understand what the cover may cost your business and how you can improve your risk profile.
The industry which you work will impact your susceptibility to breaches, and therefore increase your premium cost. For example, the following industries carry an increased exposer to claims: accountants, casinos, data aggregators, education sector, financial services, hospitals, hotels, medical industry, payroll services, professional services, solicitors, telecommunications, trading platforms, online gaming, and payment card processors. It's important to clearly identify what business activities you undertake when applying for cover.
Turnover is a direct rating factor for insurers to calculate your premium cost. The larger your business the higher premiums your business will be required to pay. There will also be certain thresholds, where insurers will provide discounted rates to grow their portfolio. For example, companies with a turnover less than £1 million is the most competitive. Whereas there is significantly less competition when your turnover exceeds £100 million.
The number of individual data subjects (otherwise known as personally identifiable individuals PII) is another direct rating factor for insurers. Less than 25,000 is commonly acceptable, once you breach the 100,000 or 250,000 threshold this will impact insurers decision making. In addition, the type of data you hold or process will impact your premium. Sensitive data such as: banking, card details, and medical information is perceived as the highest risk. The larger and more sensitive the data you process or hold the greater risk to insurers and will attract higher premium charges.
Insurers will want to understand your turnover split by territory. Certain countries such as the US are more litigious in nature and allow for class actions (otherwise known as collective actions) on an opt-in basis which means their ability to bring a demand for compensation that much easier in a court of law. The higher exposure to a legal system which makes more frequent and higher awards means insurers will need to charge higher premiums when calculating the cost of your policy.
There is a growing emphasis from insurers requiring minimum controls as conditions within the policies. Cybersecurity remains the first line of defence and if insurers are going to accept your risk, they want to make sure you adhere to best practices that mitigate your exposure to claims. Premium discounts will be available for companies which are able to demonstrate their risk averse nature. Common controls required by insurers include: backups of critical data, VPN for remote access, multifactor authentication for cloud based services, and cybersecurity training.
If you have been the subject to cyber breaches that would have been insured, even if you didn’t have a policy in force you need to disclose that information. Unfortunately, you incur higher premium costs if you have been the subject of cyber claims in the past five years. Insurers will want to understand exactly what occurred, how much the cyber incident cost, and what remedial actions were taken to stop a similar incident occurring again.
It can provide financial protection and proactive tools to help guard against the consequences of cyber-attacks, data breaches, and other malicious online threats. Many policies today also include services that help the insured respond to an incident. This can involve access to cybersecurity experts who can remedy the breach and manage getting your systems up and running, legal teams to address compliance issues, breach notification services, and public relations professionals to handle any communications.
A policy can financial protection and expert support in the event of an attack or data breach. However, it is important the businesss should consider a proactive approach. Cyber hygiene measures identifed in many insurers minimum requirements need to be implemented given that many threats remain relatively unsophisticated.
Cover is increasingly viewed as an essential component of a company or organisation’s risk management strategy, especially given the frequency and severity of events and information breaches continue to rise. It’s important to note that policies can be tailored to fit the specific needs, dependent upon their industry, size, exposure, amount of personally identifiable information, and sensitivity of that personal information. Therefore, it’s worth engaging with a broker to discuss your requirements.
Factors to consider include limits, deductibles, policy terms and conditions, retroactive dates, sub-limits, and additional services provided by the insurer. It's worth noting that each insurers’ cover, definitions, exclusions, and conditions will vary. Working with an experienced broker can make all the difference in making sure your company is adequately protected from threats at a cost-effective premium.
All the insurers we work with have an AM Best rating of A+ and are regulated by the Financial Conduct Authority and the Prudential Regulation Authority.
Cyber risk management is becoming increasingly important, with attacks becoming more sophisticated and prevalent, targeting businesses of all sizes and industries. From ransomware attacks to data breaches, hackers exploit vulnerabilities in systems and networks, causing significant harm to businesses. Understanding the nature and severity of these threats is crucial in comprehending the necessity of a policy in the digital age. The costs associated with recovering from a malicious attack, employee action, or vendor failure, can be very expensive. Not to mention the legal liabilities if you have failed to protect client information, or regulatory fines imposed under law (i.e. GDPR).
Our mission is to provide our clients with the knowledge, expertise, and advocacy to secure the best cover at the lowest cost premium. We work with a wide range of insurers to ensure we can secure the most competitive cover to protect your business.
Ensure your fully protected and compare quotes from the wholesale market by completing our digital onboarding process or give us a call on 0345 625 0711 to discuss your requirements.
Cyber Essentials is a government-backed scheme launched by the UK government in 2014. It is primarily aimed at small and medium-sized enterprises (SMEs). The scheme focuses on basic cyber hygiene measures to help reduce a company's vulnerability. The cover provided is typically deemed insufficient for most businesses and non-profit organisations, given the size of the limits available and scope of the cover.
A policy is designed to protect against a wide range of threats and incidents, which can significantly impact your financials, operations, and reputation. Some of the key risks include:
Data Breaches: Unauthorised access to or theft of data, including sensitive customer information like payment card numbers, passport information, or health records.
Ransomware Attacks: Malicious software that encrypts data and demands a ransom for the decryption key. Coverage can include the ransom payment, as well as costs associated with recovery.
Social Engineering: Fraudulent schemes that often involve email phishing attacks aiming to trick employees into transferring money or sensitive information to attackers.
Denial of Service (DoS): These are designed to overwhelm systems, networks, or applications to make them unavailable to intended users. A policy can cover business interruption losses and the cost of mitigating the attack.
Malware and Viruses: Software designed to damage or gain unauthorised access to computer systems. Insurance can cover the costs related to eliminating the malware and restoring systems to normal.
Data Loss: This includes data destroyed by cyber-attacks or accidentally deleted or corrupted by employees. Cover often includes the cost of restoring or recreating data.
Legal Action and Regulatory Fines: Costs arising from legal actions taken against an organization for failing to protect data or for violating privacy laws, along with potential regulatory fines.
Reputational Damage: Costs associated with managing and mitigating damage to your reputation following an event, including crisis management and public relations.
Given the increasing frequency, sophistication, and impact, comprehensive coverage can play a vital role in helping manage these risks effectively. It acts not just as a financial safety net, but also as a comprehensive support system in the face of new risks.
Resilience is an important consideration during the business insurance application process and commonly a prerequisite to obtaining the required cover. It refers to the internal practices and features applied to help maintain a minimum level of security.
Effective cyber hygiene involves a variety of regular activities such as:
Regular Software Updates: Keeping all software up to date, including operating systems, applications, and security software, to patch security vulnerabilities.
Use of Strong Passwords: Creating and using strong, unique passwords for all accounts and using a password manager to keep track of them.
Multi Factor Authentication: Enhancing security by adding a second layer of protection to account logins, such as a text message code or an authentication app, to email account and your back-end software.
Regular Backups: Performing regular backups of important data to prevent data loss in the event of a cyber-attack or hardware failure.
Secure Network Connections: Using secure, encrypted connections to access the internet, avoiding public Wi-Fi without a virtual private network (VPN), and ensuring that home and business networks are secured.
Anti-Virus and Anti-Malware Protection: Installing and maintaining anti-virus software to detect and remove malicious software.
Education and Training: Keeping oneself and employees trained on the latest cybersecurity threats and how to avoid them, such as recognizing phishing emails and malicious websites.
Limiting User Access: Restricting user access to the information necessary for their work duties to minimise the risk of insider threats or accidental data exposure.
In the United Kingdom, company directors have certain legal responsibilities and potential liabilities associated with their role. It's important for directors to understand these obligations and ensure compliance with the law.
The Financial Conduct Authority (FCA) regulates the financial services industry in the UK. Its role includes protecting consumers, keeping the industry stable, and promoting healthy competition between financial service providers.