Cyber insurance protects businesses from both malicious attacks and computer system failures. The specialist packages offer peace of mind for business owners small and large, covering a range of nightmare scenarios including cyber hack, viruses, theft, data breach and extortion.
Cyber insurance also provides financial help to cover a range of issues that arise due to the incident such as legal fees and advice, hiring a customer service team to answer inquiries, public relations advice, notifying customers, replacing assets restoring computer systems and more.
The UK Government estimates almost half of businesses (47%) have suffered a cyberattack. Some estimates found there were about 65,000 attempted cyberattacks on UK businesses every single day in 2018. About 4,500 a day were successful.
The most common cybersecurity breach is fraudulent emails being sent to customers, or being directed to fraudulent websites, with 86% of affected businesses reporting such incidents according to the Department for Digital, Culture, Media and Sport.
With smartphones and other electronic devices now part of society’s way of life, it’s more important than ever for businesses to stay protected to prevent cybercriminals from getting hold of accounts and data.
What does cyber insurance cover?
Cyber insurance should cover aspects of business interruption, financial loss and expert advice if a business finds it has been the victim of a computer-based incident. Cyber insurance is split into first party and third party liability, and not all policies cover both. Here’s what each of these covers so you can decide which of the coverages you need.
First party cover protects against direct costs to the business as a result of an IT-based issue including:
Business interruption: An organisation loses income or is hit with unexpected costs due to a cyberattack or incident.
Managing the attack: Some insurers offer 24/7 support from specialists to be able to assess systems and get a business up and running. They can also offer legal and practical advice on the laws and processes to follow to protect both the business and its customers.
Investigations: To find the cause of the incident.
Cyber extortion: Defend against ransomware and other malicious attempts to block systems until money is paid. In some cases, insurers will meet the cash demand, although this is not the best first option.
Notification costs: Funding the extra costs involved with informing customers and other contacts of a security breach, including the legal advice on how best to do this.
Recovering lost data or programmes: Experts can be hired to identify the breach’s source, check systems and re-establish lost files.
Restoring computer systems: Covering the cost of experts to bring whole computer systems back.
Reputation management: Restoring credibility with customers with practical solutions such as credit monitoring or funding a PR campaign.
A cyberattack can also harm a business’s clients or other parties. The third-party cover protects against losses and costs to customers or other third parties, including:
Privacy protection: Legal defence costs, investigation costs and settlements to customers if a business has breached data protection laws and their right to privacy.
Media liability: If a third party has a defamation claim due to a security breach, insurers can cover the cost of investigation, defence and damages.
Business interruption cover is at the heart of all policies, with insurers covering the loss of income during the period of disturbance, and also if there are increased costs as a result of the incident. For example, being forced to stop trading due to an IT shutdown, or because a business has become the victim of a cyberattack are situations in which business interruption cover can be a critical lifeline to a business.
What does cyber insurance not cover?
Cyber insurance does not cover incidents put down to poor management or upgrades to systems. Although policies vary between providers, cyber insurance generally does not include:
- Hacks by directors or partners running the company.
- Failure by your service providers: If the interruption can be put down to an internet service, cloud or telecommunications provider.
- Intellectual property losses
- Bodily injury: Insurance covers digital losses, but no damage to physical property or bodily injury.
- Compliance reviews: Upgrades to security systems and routine investigations and supervision.
- Defamatory statements that you know or should have known were defamatory at the time of publication.
Does cyber insurance cover GDPR fines?
It is not yet clear whether insurance will cover the cost of GDPR fines; however, insurance can certainly cover other implications of a GDPR breach.
Fines are meant to act as a deterrent, and there is an illegality defence that stops businesses covering their fines with an insurance payout. Until a case is tested in court, there is no precedent for insurance providers and prosecutors.
However, it is worth noting that accidental non-compliance of GDPR does throw up some other issues which could be covered by cyber insurance.
These include restoring IT systems, recovering lost data, covering costs associated with reporting the breach to customers, legal and expert advice and payment of damages to customers.