Cyber insurance, also known as cyber liability insurance or cybersecurity insurance, is a policy which provides financial protection and expert support to help recover from a cyberattack or data breach. It can provide the necessary financial resources to cover your legal liabilities, pay ransomware demands, cover your loss of profits, pay expenses such as incident response, forensic investigations, legal fees, public relations costs, customer notifications, and potential regulatory penalties.
Cyber insurance covers a wide range of cyber risks that businesses face in the digital age. These include but are not limited to data breaches, malware attacks, phishing scams, ransomware, denial-of-service attacks, network disruptions, employee actions, social engineering fraud, mistakes, negligence, IT failures, and vendor failures. Understanding the breadth of coverage offered by cyber insurance is crucial for businesses seeking comprehensive protection.
Cyberattacks have become more sophisticated and prevalent, targeting businesses of all sizes and industries. From ransomware attacks to data breaches, hackers exploit vulnerabilities in systems and networks, causing significant harm to businesses. Understanding the nature and severity of these threats is crucial in comprehending the necessity of cyber insurance. The costs associated with recovering from a malicious attack, employee action, or vendor failure, can be very expensive. Not to mention the legal liabilities if you have failed to protect client information, or regulatory fines imposed under law (i.e. GDPR).
Cyber insurance is an essential component of a comprehensive risk management strategy. It helps businesses safeguard their finances, reputation, and customer trust by providing financial assistance and resources to navigate the aftermath of a cyber incident. By investing in cyber insurance, businesses can mitigate the potentially devastating consequences of cyberattacks, ensuring their long-term viability.
Businesses need cyber insurance to provide cover against a wide range of potential incidents and attacks. These may include unauthorised access to sensitive data, theft of personally identifiable information, legal expenses, reputational damage, and costs associated with regulatory compliance and breach notification. In addition, cyber insurers can provide access to specialist incident response services under the policy, which is invaluable to reduce the exposurers associated with malicious software, criminal extortion, and sensitive data leaks. By addressing these risks, cyber insurance offers businesses a safety net against the potential consequences.
Selecting the right cyber insurance policy is important for businesses seeking comprehensive protection. Factors to consider include coverage limits, deductibles, policy terms and conditions, retroactive dates, sub-limits, and additional services provided by the insurer. Cyber coverage, definitions, exclusions, and conditions will vary. Working with an experienced insurance broker can make all the difference in making sure your company is adequately protected from cyber threats at a cost-effective premium.
It is becoming increasingly important if you are contracted to provide a service or software solution, that you maintain network security and privacy liability, otherwise known as cyber liability insurance. Network security liability protection will provide your business the ability to pay damages to your client where required under law - for many service companies will be purchased alongside professional indemnity insurance.
Means a failure of computer security to prevent unauthorised access, or the transmission of malicious code, that results in a liability claim.
Means an actual or alleged loss of all data that can identify a natural individual, otherwise known as personally identifiable information.
Means an actual or alleged loss or unauthorised disclosure of third party information which you are legally required to maintain in confidence.
Otherwise known as network security and privacy liability insurance, it provides cover for your legal liabilities arising from damages and defence costs from third party claims arising from a network, information or privacy breach. For example, the cover can offer protection from your legal liabilities in failing to prevent an individual's personally identifiable information being stolen or inadvertently transferring harmful malware to a third-party which causes them a financial loss. This cover is being more commonly requested under contract to ensure that if there is a cyber incident, they have the ability to seek damages.
Otherwise known as breach response, this section of cover will generally cover all of the costs involved in immediately responding to a cyber incident. The policy coverage can include IT security, forensic investigation, legal advice in relation to breaches of data security, and the costs associated with having to notify individuals that have had their information stolen under data protection laws (i.e., GDPR). The incident response cover of a policy provides access to cyber experts as well as paying for their services. This coverage section is one of the most important protections of a policy and provides access to the right specialists without any delays - because the most important decisions are made within the first 24 hours after an event.
Will respond to fraudsters attempting to extort money by threatening to carry out an attack or threatening to expose/destroy information having already compromised the network. The policy coverage will pay the ransom demanded to stop a data leak and restore your systems. The two most common types of cyber extortion are ransomware and DDoS (Distributed Denial of Service) attacks. These types of claims against policies have been on the rise over the past couple of years with businesses increasingly targeted by criminals because they expect insurance to cover the extortion attempt.
Can provide cover for the loss of profits and increased costs because of a security breach. There is usually a 12-hour waiting period as a deductible, then during the time you are unable to trade the policy coverage will reimburse your loss of net profit and increased costs. The coverage section aims to reimburse the business for the difference between the typical income of the business and the reduced generated income during the shutdown caused by a cyber event. The purpose of business interruption insurance is to soften the blow of the losses incurred when a business cannot operate due to a covered loss. The insured shall not profit from the business interruption section.
This covers any third-party claims arising out of defamation or infringement of intellectual property rights. Can cover communicating, reproducing, publishing, disseminating, displaying, releasing, transmitting, or disclosing media content, including social media. Cover can also include infliction of emotional distress, or other tort related to disparagement or harm to the reputation or character. Media cover started out in cyber policies to offer protection in respect of online content only, but as policies have broadened over the years, it’s not uncommon for full media cover to be provided.
Provides for the costs of electronic data or computer software to be repaired and restored in the event computer systems are damage from an attack, often critical in getting the company operating again. Additionally, the cover will typically provide for the legal costs and expenses to defend the business in a regulatory proceeding. Plus cover regulatory fines and penalties imposed by a government or regulatory body because of a security breach, where permitted by law.
Typically, cyber policies can be separated into: (1) First-party expenses which can cover the cost of incident response, cyber extortion, forensic investigation, legal advice, notifying individuals their personally identifiable information was stolen, system damage, regulatory fines, and subsequent business interruption including loss of profits and increased costs. (2) Third-party liability which can cover the costs of damages awarded by a court, insurer agreed settlements, and the legal expenses to defend any allegations. This cover is commonly requested by clients under contract to ensure they can seek compensation against your business because of a breach or attack where you are legally liable.
Each insurer's cyber policy will provide for different options, whether that's adjusting the amounts of cover or selecting additional coverage sections to provide more comprehensive cover. It's important to note that cyber insurance policies can be tailored to the individual needs of the business because companies working in different industries may have varying requirements.
Means the act of influencing a person to divulge sensitive information or to perform a task, which typically results in a voluntary payment to the fraudster.
Provides financial protection from a fraudulent taking, or appropriation of money, securities, or property (third-party, employee, or to the deprivation of a client).
There are common misconceptions about cyber insurance. Every business, not just technology companies is exposed to cyber risk - as criminals become more sophisticated and the technology you use becomes more connected - so to the threats you face. Every business should consider cyber insurance and an effective security plan to mitigate their risk. We've identifed some objections about the need to arrange a policy and want to challenge some of the assumptions:
Our network is hosted by a third-party provider - Whether or not you outsource any services to third-party providers, any data breach will be your responsibility and your ability to recoup costs from such third-party may be limited.
We don’t process or hold sensitive data - Considering the extended scope of GDPR, most business will now hold personal information (i.e. email address) on their customers, note this doesn’t need to be credit/debit card details.
Our systems have high security - No system can ever be 100% protected, no matter the levels of cyber security controls embedded. Good risk management promotes risk transfer as a valuable mechanism for an unforeseen events.
Cyber-attacks only occur at large companies - Large recognisable brands can make the news, but insurer’s claims experience shows that cybercriminals will not discriminate against small to medium sized businesses, especially with lessor controls.
There are various factors we discuss below that can impact insurers perception of your cyber risk. Underwriting your application is a subjective process and each insurer will take an individual view to calculating your cyber risk insurance premium. However, the below guide should provide some helpful information to understand what the cover may cost your business and how you can improve your risk profile.
The industry which you work will impact your susceptibility to breaches, and therefore increase your insurance premium cost. For example, the following industries carry an increased exposer to claims: accountants, casinos, data aggregators, education sector, financial services, hospitals, hotels, medical industry, payroll services, professional services, solicitors, telecommunications, trading platforms, online gaming, and payment card processors. It's important to clearly identify what business activities you undertake when applying for cover.
Turnover is a direct rating factor for insurers to calculate your premium cost. The larger your business the higher premiums your business will be required to pay. There will also be certain thresholds, where insurers will provide discounted rates to grow their portfolio. For example, companies with a turnover less than £1 million is the most competitive. Whereas there is significantly less competition when your turnover exceeds £100 million.
The number of individual data subjects (otherwise known as personally identifiable individuals PII) is another direct rating factor for insurers. Less than 25,000 is commonly acceptable, once you breach the 100,000 or 250,000 threshold this will impact insurers decision making. In addition, the type of data you hold or process will impact your premium. Sensitive data such as: banking, card details, and medical information is perceived as the highest risk. The larger and more sensitive the data you process or hold the greater risk to insurers and will attract higher premium charges.
Insurers will want to understand your turnover split by territory. Certain countries such as the US are more litigious in nature and allow for class actions (otherwise known as collective actions) on an opt-in basis which means their ability to bring a demand for compensation that much easier in a court of law. The higher exposure to a legal system which makes more frequent and higher awards means insurers will need to charge higher premiums when calculating the cost of your cyber risk insurance.
There is a growing emphasis from insurers requiring minimum controls as conditions within the policies. Cybersecurity remains the first line of defence and if insurers are going to accept your risk, they want to make sure you adhere to best practices that mitigate your exposure to claims. Premium discounts will be available for companies which are able to demonstrate their risk averse nature. Common controls required by insurers include: backups of critical data, VPN for remote access, multifactor authentication for cloud based services, and cybersecurity training.
If you have been the subject to cyber breaches that would have been insured, even if you didn’t have a policy in force you need to disclose that information. Unfortunately, you incur higher premium costs if you have been the subject of cyber claims in the past five years. Insurers will want to understand exactly what occurred, how much the cyber incident cost, and what remedial actions were taken to stop a similar incident occurring again.
Our mission is to provide our clients with the knowledge, expertise, and advocacy to secure the best coverage at the lowest cost premium. We work with a wide range of cyber insurers to ensure we can secure the most competitive coverage to protect your business from cyber risks. Ensure your business is fully protected and compare cyber insurance quotes from the wholesale market by completing our digital onboarding process or give us a call on 0345 625 0711 to discuss your requirements.
Comparing cyber insurance providers is essential for selecting the right policy. Coverage scope, policy limits, pricing, reputation, customer service, and financial strength of the insurer. By evaluating these factors, businesses can make informed decisions when choosing a cyber insurance provider. All the insurers we work with have an AM Best rating of A+ and are regulated by the Financial Conduct Authority and the Prudential Regulation Authority.
Cyber insurance is a policy which provides financial protection and expert support in the event of a cyber-attack or data breach. What specific policy covers are provided will depend upon the insurer product and the types of cyber coverage selected. Typically, policies will include: Network Security and Privacy Insurance, Media Liability, Incident Response, Cyber Extortion, Business Interruption, Reputational Harm, System Damage, and Regulatory Fines.
Every business should consider the cyber coverage - whichever sector you opperate you will be exposed to cyber risks. Whether that's through sending emails, operating a website, processing or holding customer information, transacting business over the internet, using third-party online services such as payment processors, internet service providers, or managed services - you are exposed to a number of cyber threats that can cause your business financial harm.
The policy coverage will typically help with:
To appreciate the need for insurance protection, it's worth considering the UK Government’s Cyber security breaches survey 2023 - 32% of businesses and 24% of charities were exposed to breaches or attacks over the last 12-months. Identifying that the most common cyber threats remain relatively unsophisticated, so guidance advises businesses and charities to protect themselves using a set of “cyber hygiene” measures. Some businesses and charities continue to be unaware of government guidance such as the 10 Steps to Cyber Security, and the government-endorsed Cyber Essentials standard.
Directors and officers insurance is purchased by companies of all sizes and will cover the personal risk that individuals accept when they manage the day to day running of the business. The cover will protect against civil liabilities, regulatory proceedings, and criminal allegations, whilst acting in a managerial capacity on behalf of a company.
There are a variety of business insurance covers that can help protect the company from financial losses. To better understand what insurance are available, request a call back from one of our insurance brokers or give us a call on 0345 625 0711.
The cyber incident response cover provides access to experts that can assist with the immediate impact of the cyber event. Detection, containment, eradication and recovery - the most important decisions are made within the first 24 hours after an event.
Technology Errors and Omissions Insurance, or Tech E&O, is a type of insurance coverage designed to protect technology companies, professionals, and service providers from liability claims arising from errors or omissions in the performance of their technology services.
Below we talk to James McBride Wilson at 'CFC Underwriting' and Anna Husband at 'Hiscox Insurance', to obtain their perspective on the challenges they face
A managed service provider (MSP) is a company that provides outsourced IT services to support businesses. An MSP can take on responsibility for the day-to-day operation, management, and maintenance of their clients' IT infrastructure, including hardware, software, network, and security.
The Financial Conduct Authority (FCA) regulates the financial services industry in the UK. Its role includes protecting consumers, keeping the industry stable, and promoting healthy competition between financial service providers.