Cyber insurance policies vary greatly in terms of cover and price. ‘Add on’ or ‘thrown in’ covers have limited provision so make sure you know what they are providing. Some policies provide Response Services only.
The best option is a stand-alone Cyber policy, although cover can differ by insurer. As I always say, no two businesses are the same, so the extent of your exposure to cyber risk will vary. For that reason, it’s important to consider which policy will suit your business requirements.
Here, we look at stand-alone policies, showing what covers are available. Generally, they are split into two parts – First Party, which covers your financial losses from a cyber event, and Third Party, which responds to claims made against you.
First Party covers include:
This is a cyber-attack involving theft of money. Examples of this include:
- Extorsion – criminals demand payment through the use of, or threat of, some form of malicious activity against you, such as data compromise or denial of service attack. Ransomware is also an example of cyber extorsion where criminals prevent you from accessing your system or data through the use of malware. They then demand a sum of money – a ransom – to regain access. Wannacry attack is an example of this and the damage it can do.
- Social Engineering – criminals trick you into giving up confidential information or taking action, such as transferring money to a fraudulent account, by pretending to be someone else, such as a supplier. A growing area of concern is CEO fraud, where criminals impersonate directors/managers and email instructions to employees in finance departments to transfer funds to their bank account. I handled this type of claim for a client – fortunately they had a cyber policy in place, and £22K was repaid to them by the insurers.
This covers the cost of restoring your systems, data and applications if they have been damaged by a cyber-attack. As our processes become more reliant on internet connectivity, the risk of damage to operations, including machinery, is increasing. For instance, with 3D printing machines, as I talked about in this blog – printers can be hacked to produce defective products. At a recent seminar on Cyber Insurance, an insurer spoke of a claim where criminals had hacked into the systems of a manufacturer to force a printer to work harder with the intention of causing it to wear out.
In the event of a claim, having the right support and guidance from experts is crucial. A cyber policy will give you immediate, free 24/7 access to a team of IT, legal and PR experts who will get you back up and running fast. The policy will also pay for their costs, which can quickly escalate.
System Business Interruption
If your systems are down for a prolonged period, you will face potential loss of income and profit. A cyber policy covers this loss, plus any additional expenditure needed to keep your business going, such as employee overtime. It can also cover consequential reputational damage. Some policies will cover losses resulting from an attack at your IT provider, as well as within your supply chain.
Third Party covers include:
GDPR Investigations and Fines
A third-party cyber policy will pay the costs associated with regulatory investigations and settle fines levied by any regulator. However, it is worth noting that the jury is still out on whether or not ICO fines are insurable – cover cannot be obtained for fines arising out of criminal conduct. ICO have not been particularly forthcoming on this, and insurers are having to decide on a case by case basis. In my opinion, it is safer to assume that fines for GDPR non-compliance are not recoverable.
Network Security & Privacy Liability
This covers third-party claims as a result of a data breach or a cyber event, such as an inadvertent transmission of a harmful virus or malware. The costs associated with notifying individuals that their data has been stolen and any subsequent credit monitoring are costs that fall under the first-party section.
Media or Online Liability
Claims by third parties for defamation or infringement of IP rights arising out of your online activity – email, social media or website – are covered by a third-party cyber policy. This protects your business in the event that your digital media presence leads to a third-party bringing a claim against your business for libel, slander, defamation or the infringement of intellectual property rights. This is especially important for companies that rely on the transmission of digital data via email, a website, or who have a large social media presence.
The frequency of cyber-attacks is increasing, as is the severity in terms of cost. The average cost of a cyber event seems to vary depending on the source of information, however, according to Hiscox Insurance, the average cost in the UK was just shy of £200K. This takes into account the associated business interruption and potential lost business from reputational damage. Hiscox also state that 75% of businesses affected by cyber-crime claims had a turnover of below £10m.
Can you afford NOT to have a cyber policy? Make sure you protect your business and reputation from a cyber-attack and get in touch today for advice.