What is cyber insurance?
Cyber insurance offers protection against first and third-party losses arising from security and privacy breaches. The business insurance will typically cover a variety of financial losses and costs, in addition to assistance from cyber specialists to mitigate the damage of a cyber event.
What cyber insurance coverage is available?
Each insurer's standard offering can vary, and the terminology may alter, however the broad cyber insurance covers available are comparable under the sections below:
Incident response and notification - provides access to cyber specialists to mitigate the damage of security and privacy breaches. Typically, will cover IT security, forensic investigation, legal advice, and the costs associated with notifying any individuals their data was stolen.
Cyber extortion insurance - provides cover for the costs in responding to fraudsters attempting to extort money by threatening to carry out a cyber attack or threatening to expose/destroy data having already compromised the network.
System damage insurance - provides cover for the costs of data and applications to be repaired and restored in the event computer systems are damage from a cyber attack, often critical in getting the business operating again.
Business interruption insurance - provides cover for the subsequent loss of profits and increased costs of operating as a result of a security and privacy breach. Will typically respond in a similar way to traditional business interruption, but in response to a cyber event.
Cyber liability insurance - provides cover for your legal liability for damages and defence costs from third party claims arising from a security and privacy breach. Typically arising from failure to prevent an individual's data being breached or transmission of harmful malware to a third party.
Media liability insurance - provides cover for your legal liability for damages and defence costs from third party claims arising from infringement of any intellectual property rights. Including libel, slander or defamation via an electronic platform.
Regulatory fines insurance - provides cover for fines and penalties imposed by a government or regulatory body as a result of a security and privacy breach, where permitted by law.
The above sections can be deselected to tailor cover to meet your individual requirements. Compare cyber insurance quotes from the wholesale market by completing our
online application.
Some insurers have recently sought to combine the covers available under cyber insurance and
crime insurance, typically referred to as
cyber and crime insurance.
What are the recent cyber attack statistics?
Many companies attempt to keep details concerning cyber attacks out of the public domain to mitigate damage to their reputation. However, PWCs Global State of Information Security Survey identified:
It is commonly accepted that cyber attacks and security breaches are increasing in frequency and sophistication.
AIGs Cyber Report identified their largest cause of cyber claims were a series of systemic malware and ransomware attacks (i.e. WanaCry attack).
Why purchase insurance for cyber security?
Operating in a digital environment with an increasing reliance on technology, means businesses require a cyber strategy to mitigate the potential impact of a cyber breach.
With increasing pressure from regulators to ensure responsibility for the safeguarding of personal data. Businesses should maintain an incident response plan (otherwise known as a business continuity plan) to protect themselves from significant financial and reputational costs.
Cyber insurance can play a key role in supporting businesses of all sizes to both improve their resilience to breaches and help them recover if the worst should occur.
Many cyber insurance policies available today will provide access to specialists to assist with mitigating the damage caused by a security or privacy breach.
Why companies don't purchase cyber insurance?
We have seen many objections over the need to purchase a cyber insurance policy and want to challenge some of the assumptions made:
> We don't collect or hold sensitive data
Considering the
extended scope of GDPR, most business will now hold personal information on their customers and are required to notify them in the event of a breach (note this doesn't need to include credit or debit card details).
> Our systems are secure and we've never had an incident
Much like other business insurance the likelihood of an incident is relatively low, but the potential cost is high. Good risk management promotes cost-effective risk transfer as a valuable mechanism manage unexpected events.
> Cyber attacks only occur at large companies
Large recognisable brands often make the news, but insurer's claims experience identifies that criminals do not discriminate against the targeting of small to medium sized businesses to achieve their goals.
> Our network is hosted by a third-party provider
Whether or not you outsource any services to third-party providers, any breach is your responsibility and your ability to recoup costs under contract from such third-party may be limited.
How can a cyber breach occur?
Businesses of all sizes operating in all industries are faced with the threat of a cyber breach, these will typically arise from: 1) malicious attacks; 2) human failure; and 3) system failure.
Third-party cyber liabilities can arise if you:
> hold propriety or confidential data;
> hold customer or employee personal data;
> public electronic content;
> transact business or generate turnover over the internet; and
> outsource storage or processing of information to service providers.
How to manage a cyber event?
Obtaining early assistance from cyber specialists to mitigate the damage of a cyber event can be invaluable. Minimising the interruption to the business and starting the triage process early will reduce the impact of cyber event.
MPR Underwriting have produced the below diagram to identify how their incident response services work and the importance of the first 48 hours following a cyber event.
*Note there are many types of cyber events covered this is not an exhaustive list.
Crime insurance vs cyber insurance?
Cyber crime can potentially be covered under both cyber insurance and
crime insurance, however each policy seeks to mitigate the impact in different ways.
Different insurers offer varying scope of cover, your desire to purchase specific covers (i.e. social engineering fraud or business interruption) will impact which insurers policies best meet your needs.
Some insurers have more recently sought to combine covers traditionally offered
crime insurance and
cyber insurance under one policy.
How do cyber security threats arise?
The cyber risk to your systems and the potentially sensitive information you hold, can come from a broad spectrum of threats.
The potential impact on your business of such a cyber attack will often depend on the opportunities presented, the attackers capabilities, in addition to their motivation.
Often simple mistakes and potential vulnerabilities can provide the opportunities for attackers to gain access to your system. They can occur through flaws, features or user error.
Preventing, detecting or disrupting the attack at the earliest opportunity will limit the impact and potential for financial loss and reputational damage.
Attackers can lay dormant for years until they identify a means to achieve what they want. It is worth noting, once the attacker has consolidated their presence, they will be more difficult to find and remove.
What cyber information security measures?
Cyber information security refers to the processes and tools deployed to protect sensitive information from modification, disruption, destruction, and inspection.
The below identifies some best practices:
| |
|
|
|
Information security policy
|
Limits personal data collection, retention and access
|
Accurate inventory of personal data
|
|
Employee training on privacy policy
|
Compliance audits of third parties that handle personal data
|
Require third parties to comply with privacy policies
|
How do insurers underwrite your cyber insurance?
Insurers are confronted with a number of challenges in attempting to accurately price your cyber insurance. For example, the diversity of exposures from different business activities, technological advances, increasing sophistication of criminals and limited loss data.
Therefore, the pricing and cover that underwriters are capable of offering is highly subjective and heavily dependent on an underwriters individual assessment.
Below are key considerations when insurers review your individual cyber risk:
-
The allocation of turnover between different business activities and the perceived exposure attaching to each.
-
The quality of controls to mitigate a risk and the amount / type of data you collect and store.
-
Approximately how many individual GDPR Personal Data records do you hold?
-
What percentage of the above records do you hold banking or credit / debit card information?
-
Are you Payment Card Industry (PCI DSS) compliant? If 'Yes' please confirm your PCI merchant level.
-
Are your employees trained in physical and electronic data security?
-
Do you maintain firewalls, antivirus software and encryption tools?
-
Have you considered your privacy policy in conjunction with GDPR regulation?
-
The size and scope of an applicant's activities territorially, typically an international exposure will increase your risk profile.
-
Frequency and severity of claims with a lack of remedial action, can indicate a lack of quality risk management and systemic issues.
High cyber risk activities:
Accountants, Call Centres, Collection Agencies, Casinos, Data Aggregators, Education Sector, FCA Regulated Firms, Hospitals, Hotels, Payroll Services, Professional Services, Restaurants, Solicitors, Telecommunications, Telemarketing, Trading Platforms, Online Gaming, Payment Card Processors
How are UK companies regulated?
The
Information Commissioners Office (ICO) is the UK's independent body set up to uphold information rights. The ICO has a number of powers including criminal prosecution, non-criminal enforcement and audit.
For example, TalkTalk failed to properly protect customer data from a cyber attack and ICOs issued a penalty of £400k in 2017. However, the EU General Data Protection Regulation (GDPR) replaces the Data Protection Act 1998 and now places even greater obligations on how organisations handle personal data.
Fines of 20 million or 4% of annual turnover, whichever the higher, are now permissible under the GDPR. In addition to the right to claim compensation of any damages resulting from an infringement, potentially leading to mass claims in large-scale infringements.
However, the ICO are not the only regulator able to issue fines. The Financial Conduct Authority fined Tesco Bank £16.4 million after 9,000 accounts were hacked and £2.26m was stolen in 2016.
What UK government bodies can assist?
> The National Cyber Security Centre identifies 10 steps in order to protect your business against a cyber event.
> ActionFraud (National Fraud and Cyber Reporting Agency) offers an online reporting tool with The National Fraud Intelligence Bureau.
> Cyber Essentials is a basic training course aimed at reducing your business vulnerability to cyber attacks and security breaches.
> Cyber Security Courses for Business are free and aimed at helping staff understand online threats and how to protect businesses.
> Cyber Security Information Sharing Partnership (CiSP) is an industry and government initiative to exchange cyber threat information to reduce the impact on UK companies in real time.
How to compare cyber insurance quotes?
Complete our
online application to compare cyber insurance quotes. We can typically provide quotes within 48 hours and provide a variety of options based on the information provided.
At get indemnity we continue to see soft market conditions and reduction in premiums for cyber insurance. Increasing competition within the cyber market means cover offered by insurers continues to expand with numerous extensions currently available.
If your organisation is perceived as carrying a high hazard exposure or you have recent claims activity, your cyber insurance broker should engage with you early to ensure sufficient strategic planning to achieve a satisfactory renewal.
We are proud to be experts in
cyber insurance coverage and are happy to field any enquires you may have. If you would like to discuss, please
contact us.
This guide is for information purposes and based on sources which we believe are reliable, the general risk management and insurance information is not intended to be taken as advice with respect to any individual circumstance and cannot be relied upon as such.
