What is cyber insurance? Coverage Explained

Cyber Insurance Coverage Explained

Expert Business Guide

 

Key takeaways

  • Each insurer's cyber insurance is different, therefore it’s difficult to provide a direct comparison without the assistance of an insurance broker
  • Main covers typically include Incident Response, Cyber Liability, Extortion, Business Interruption, Notification Costs, Media Liability, and Cyber Crime
  • Cyber insurance is increasingly viewed as an essential component of a company's cyber risk management strategy
  • Cyber resilience and hygiene factors are important when applying for insurance to ensure you meet insurer's minimum security requirements


Compare Cyber Insurance Quotes

Best Cyber Insurers Reviewed


What is cyber insurance?

Cyber insurance, also known as cyber liability insurance, is a type of business insurance which offers financial protection and expert support to help recover from a cyber attack or data breach. Cyber insurance can provide access to specialists to deal a cyber incident, pay ransomware demands, cover your legal liabilities, ransomware demands, loss of profits, regulatory fines, and cover a variety of expenses to recover.


Do you need cyber insurance?

Businesses of all sizes should consider cyber insurance to protect against evolving digital threats. A cyber policy can help businesses safeguard their finances, operations, and reputation, by providing protection and resources to navigate a cyber attack or data breach.

Cyber insurance can protect against a wide range of cyber threats including: data breaches, malware attacks, phishing scams, ransomware, denial-of-service attacks, network disruptions, employee actions, social engineering fraud, IT failures, and vendor failures.

Additionally, cyber insurance can provide for the costs and expenses related to the theft of personally identifiable information, unauthorised access to sensitive data, reputational damage, and regulatory compliance and breach notification. Not to mention paying for the devastating consequences of cyber criminals that seek to profit from a ransomware attack.


What does cyber insurance cover?

Policies can be complex and difficult to provide an easy comparison - however cyber insurance can be separated into two broad coverage sections: 1) First-party cyber insurance, which covers your costs and expenses; and 2) Third-party cyber insurance, also know as network security and privacy liability, which covers your legal liabilities and legal defence.

  • First-Party Cyber - Includes your costs and expenses arising from a cyber incident, including extortion demands, notification costs, forensic investigation, system damage, regulatory fines, and business interruption loss of profits and increased costs.
  • Third-Party Cyber - Includes your legal liabilities, damages awarded by a court, and the legal expenses to defend any allegations. Cover is commonly requested by clients under contract to ensure they can seek compensation against you.


Cyber cover explained:

Below we take a closer look at each of the covers provided under a comprehensive cyber insurance policy. Please note each insurer's policy will be different, but cyber insurance cover can be compared under the below headings:

 

1) Cyber incident response

Otherwise known as cyber breach response will generally respond to all of the costs involved in immediately responding to an incident. These services can extend to IT security, crisis containment, regulatory compliance, and legal advice, to ensure you are best infomed to make the right decisions.

Cyber incident response can provide access to specialists as well as paying for their services. An immediate and effective response can significantly reduce the impact of a cyber attack or cyber security breach, limiting data loss, financial damage, and reputational harm. This is one of the most important protections provided under a policy because it provides access to the right specialists without any delays.

Please note the most important decisions are made within the first 24 hours after an event. Effective incident responses services can mitigate the cyber threat before the impact becomes significant.


2) Cyber liability insurance

Covers for your legal liabilities arising from allegations made by third-parties seeking to claim compensation. Cyber liability insurance takes three forms - network security liability, privacy liability, and information liability as discussed below:

  • Network security liability relates to a failure of computer security to prevent unauthorised access, or the transmission of malicious code

  • Privacy liability relates to an actual or alleged loss of all data that can identify a natural individual, otherwise known as personally identifiable information

  • Information liability relates to an actual or alleged loss or unauthorised disclosure of third party information which you are legally required to maintain in confidence

A cyber insurance policy can offer financial protection against the legal costs to defend an allegation and pay damages awarded by a court of awarding if you are found to be at fault. For example, cyber claims will typically originate from a cyber security data breach, cyber attack, unauthorised data access, loss of sensitive information, and other forms of malicious or accidental incidents.

If sensitive or confidential information is disclosed without permission, the entity responsible for securing that information may face significant financial liabilities for failing to protect it. It is becoming increasingly important if you are contracted to provide a service or software solution, that you maintain network security and privacy liability alongside professional indemnity insurance.

For example, cyber liability insurance can offer protection from your legal obligations in failing to prevent an individual's personal data being stolen or inadvertently transferring harmful malware to a third-party which causes them a financial loss. Cyber liability cover is commonly requested under contract to ensure that if there is a cyber event, your client knows you have the financial means to settle a claim made against you.


3) Cyber extortion insurance

The cover will respond to fraudsters attempting to extort money by threatening to carry out an attack or threatening to expose/destroy information having already compromised the network. Cyber extortion insurance will pay the ransom demanded to stop a data leak and restore your systems.

The two most common types of extortion are ransomware and DDoS (Distributed Denial of Service) attacks. These types of claims against policies have been on the rise over the past couple of years with businesses increasingly targeted by cybercriminals because they expect cover to respond in the event of an extortion attempt and will expect a large payout.

Cyber extortion will involves threats of damaging actions, such as data destruction, service disruption, or public exposure if the victim does not comply. Payment for ransom demands will usually be made in bitcon to reduce the ability to be able to track.


4) Cyber business interruption

The cover can indemnify you for the loss of profits and/or increased costs because of a cyber security breach. There is usually a 12-hour waiting period as a deductible before the coverage starts, then during the time you are unable to trade the policy will reimburse your loss of net profit and increased costs.

This cover aims to reimburse the business for the difference between the typical income of the business and the reduced generated income during the shutdown caused by a cyber event. The purpose of business interruption cover is to soften the blow of the losses incurred when a business cannot operate due to a covered loss. The insured shall not profit from the business interruption section.

If your business is heavily reliant upon software and systems to operate, business interruption cover is a valuable protection because extended downtime can severly impact your profitability and cash flow. It's important to maintain accurate financial records allowing insurers to access the impact of a cyber incident - such as ransomware attack, denial-of-service (DoS) attack, or system outages.


5) Cyber notification expenses

The cover refers to the costs associated with having to notify individuals that have had their information stolen under data protection laws (i.e. UK GDPR).

Whilst not always perceived as a high-cost, to outsource the service and meet your regulatory obligations to the Information Commissioner's Office to a specialist third-party can cost £20-£40 per individual notified. Which means if your business holds a significant amount of personal data - these costs have the ability to spiral very fast.

Additional costs and expenses can include: (1) the requirement for credit monitoring if affected individuals have has sensistive financial information stolen; and (2) costs for setting up dedicated call centers to answer questions, handle customer queries, and offer reassurance.


6) Media liability

Provides cover for third-party claims arising out of defamation or infringement of intellectual property rights. Claims will typically arise from communicating, reproducing, publishing, disseminating, displaying, releasing, transmitting, or disclosing media content, including social media.

It can also include infliction of emotional distress, or other tort related to disparagement or harm to the reputation or character. The media section started out in cyber policies to offer protection in respect of online content only, but as policies have broadened over the years, it’s not uncommon for full media cover to be provided.


7) Data and software restoration

Provides for the costs of electronic data or computer software to be repaired and restored in the event computer systems are damage from an cyber attack, often important in getting the company operating again. 


8) Regulatory fines and penalties

A policy can typically provide for the legal costs and expenses to defend the business in a regulatory proceeding. Plus indemnify regulatory fines and penalties imposed by a government or regulatory body because of a cyber security breach, where permitted by law.


9) Public Relations and Crisis Management

Cover can provide for engaging PR specialists to manage public perception and maintain the company's reputation after notifying stakeholders and the public.


Misconceptions about cyber insurance

Every business, not just technology companies are exposed to cyber risks and should consider a policy to mitigate their threats. As criminals become more sophisticated and the technology you use becomes more connected, so do the threats of financial harm. We've identifed some objections about the need to arrange coverage and want to challenge some of the assumptions:

  • Our network is hosted by a third-party provider - Whether or not you outsource any services to third-party providers, any data breach will be your responsibility and your ability to recoup costs from such third-party may be limited.
  • We don’t process or hold sensitive data - Considering the extended scope of GDPR, most business will now hold personal information (i.e. email address) on their customers, note this doesn’t need to be credit/debit card details.
  • Our computer system has high security - No system can ever be 100% protected, no matter the levels of security controls embedded. Good cyber risk management promotes risk transfer as a valuable mechanism for an unforeseen events.
  • Cyber-attacks only occur at large corporations - Large recognisable brands can make the news, but insurer’s claims experience shows that criminals will not discriminate against small to medium sized businesses, especially with lessor controls.


If we have good cyber security do we need cyber insurance?

Cyber risk management is becoming increasingly important, with attacks becoming more sophisticated and prevalent, targeting businesses of all sizes and industries. From ransomware attacks to data breaches, hackers exploit vulnerabilities in systems and networks, causing significant harm to businesses. Understanding the nature and severity of these threats is crucial in comprehending the necessity of a policy in the digital age. The costs associated with recovering from a malicious attack, employee action, or vendor failure, can be very expensive. Not to mention the legal liabilities if you have failed to protect client information, or regulatory fines imposed under law (i.e. GDPR).


What threats does a cyber risk insurance policy protect against?

A policy is designed to protect against a wide range of cyber risks and incidents, which can significantly impact your financials, operations, and reputation. Some of the key cyber threats include:

  • Data Breaches: Unauthorised access to or theft of data, including sensitive customer information like payment card numbers, passport information, or health records.
  • Ransomware Attacks: Malicious software that encrypts data and demands a ransom for the decryption key. Cover can include the ransom payment, as well as costs associated with recovery.
  • Social Engineering: Fraudulent schemes that often involve email phishing attacks aiming to trick employees into transferring money or sensitive information to attackers.
  • Denial of Service (DoS): These are designed to overwhelm systems, networks, or applications to make them unavailable to intended users. A policy can cover business interruption losses and the cost of mitigating the attack.
  • Malware and Viruses: Software designed to damage or gain unauthorised access to computer systems. Insurance can cover the costs related to eliminating the malware and restoring systems to normal.
  • Data Loss: This includes data destroyed by cyber-attacks or accidentally deleted or corrupted by employees. Cover often includes the cost of restoring or recreating data.
  • Legal Action and Regulatory Fines: Costs arising from legal actions taken against a company for failing to protect data or for violating privacy laws, along with potential regulatory fines.
  • Reputational Damage: Costs associated with managing and mitigating damage to your reputation following an event, including crisis management and public relations.


Why cyber resilience and hygiene factors are important when applying for cyber risk insurance?

Resilience is an important consideration during the business insurance application process and commonly a prerequisite to obtaining cover. It refers to the internal practices and features applied to help maintain a minimum level of cyber security. Effective cyber hygiene involves a variety of regular activities such as:

  • Regular Software Updates: Keeping all software up to date, including operating systems, applications, and security software, to patch security vulnerabilities.
  • Use of Strong Passwords: Creating and using strong, unique passwords for all accounts and using a password manager to keep track of them.
  • Multi Factor Authentication: Enhancing security by adding a second layer of protection to account logins, such as a text message code or an authentication app, to email account and your back-end software.
  • Regular Backups: Performing regular backups of important data to prevent data loss in the event of a cyber-attack or hardware failure.
  • Secure Network Connections: Using secure, encrypted connections to access the internet, avoiding public Wi-Fi without a virtual private network (VPN), and ensuring that home and business networks are secured.
  • Anti-Virus and Anti-Malware Protection: Installing and maintaining anti-virus software to detect and remove malicious software.
  • Education and Training: Keeping oneself and employees trained on the latest cybersecurity threats and how to avoid them, such as recognising phishing emails and malicious websites.
  • Limiting User Access: Restricting user access to the information necessary for their work function to minimise the risk of insider threats or accidental data exposure.


What is Cyber Essentials?

Cyber Essentials is a government-backed scheme launched by the UK government in 2014. It is primarily aimed at small and medium-sized enterprises (SMEs).

The scheme focuses on basic cyber hygiene measures to help reduce a company's vulnerability. However the small limit of cyber cover provided has received criticism because is is deemed insufficient for all but the very smallest of businesses and not-for-profits. It is widely accepted cover provided by completing the Cyber Essentials should not be taken as a substitute for your own cyber insurance.

 



 

About the author

Simon Taylor is a respected senior industry professional and a Chartered Insurance Broker with over 20 years’ of experience in the commercial sector as an underwriter, broker and director.