Cyber insurance has come a long way in the last 26 years or so since the first policies came to market and yet, for many it still feels like a new class of insurance. Many commercial insurance advisers and their clients struggle to truly understand the numerous cyber threats and why cyber insurance protection is so important for all businesses. In this blog we will cover some of the dangers of cyber as well as the basics of what a cyber policy covers you for.
The reality of cyber crime
First, a few facts:-
- It’s impossible to be 100% secure against cyber threats.
- It’s a matter of if, not when. 39% of UK businesses suffered a cyber incident in 2022.
Attacks against large companies, organisations and governments make headlines daily but the reality is that 43% of cyber-attacks target SMEs. These businesses and organisations, with their more limited resources are easy pickings for cyber criminals.
Often it is ransom attacks and data breaches that make the headlines, but there are many other cyber threats such as social engineering, telephone and banking fraud.
Cyber-crime is accelerating at a pace, not only in terms of the diversity of attacks but also in terms of economic size. It has grown to become a massive and professional industry where services such as ‘hire a hacker’ exist. According to the World Economic Forum (WEF), it is the third largest economy after the US and China and projected to cost the world $8 trillion in 2023 and $10.5 trillion by 2025. Therefore, threats to businesses and successful cyber-attacks will only increase and yet many businesses remain uninsured and unaware of the full extent of risk they are exposed to. Cyber criminals only need to get lucky once but businesses need to be lucky constantly.
Cyber crime isn’t all about data though. Fraud is an ever present threat to all businesses and there are many sophisticated ways that criminals can steal from businesses. Recently, a coffee shop owner made the news when he was defrauded out of £32,000 by criminals posing as their bank using number spoofing.
In response to these evolving and increasing cyber risks, accelerated by the covid induced, rapid transition to remote working and the additional security risks his brings, the Cyber insurance industry is reacting and evolving at a pace. Some markets are innovating faster than others, and there are significant differences between the best and worst cyber insurance products. Therefore, it’s really important to work with a broker such as Hayes Parsons who understands Cyber insurance, Cyber risk and your needs to ensure the product is suitable to your business.
Each business is unique and cyber policies will vary depending on size and sector but to give a generalised overview, a cyber policy should include cover for the following:
This is the initial reporting of the incident and first steps in response. It can include initial remote support and the formulation of a coordinated action plan.
Breach investigation & containment costs
Following the incident response, a breach investigation will be carried out which is an integral part of a data breach response. This stage will:
- Establish whether there has been a breach
- Clarify the full circumstances and extent of the intrusion.
- Assess the damage caused by it.
- Identify how the systems were accessed and how to stop this continuing
- Initial legal response
A rapid legal response is vital to consider the legal implications early such as the obligation to notify and the different jurisdictions that may apply. Client attorney privilege is important, it allows the free and open exchange for the lawyer to fully understand what has happened. The legal team should work closely with the forensic team in case their report is needed as witness testimony.
PR & crisis management
PR and crisis management is often overlooked but is an important feature of cyber insurance. A cyber incident and more importantly, how it is handled can make or break a business’s hard earned reputation. Regular communication with all interested parties is key.
Informing all affected parties may involve setting up call centre services to speed up the process and freeing staff time to focus on the business. It might also be necessary to fund credit and identity monitoring of affected individuals.
Third Party Liability
Compensation to affected individuals can vary wildly, depending on the type of data leaked. Compensation for a personal data breach could be up to £2,000 per individual, but this could rise significantly where medical or financial data is involved or causes physical or emotional distress.
Regulatory defence & penalties
The maximum GDPR penalty is a fine of up to £10 million or 2% of the firms worldwide annual revenue. Although GDPR fines are uninsurable, the vast majority of cyber policies will cover legal defence costs and penalties where permissible by law. Privileged legal advice can be important (but costly).
System rectification costs
Where a system has been damaged by a cyber incident, the costs associated with rectifying the damage can be considerable. In the worst case scenario, the data may have to be rebuilt.
For some businesses, a cyber incident can bring the operation to its knees, resulting in a loss of revenue. Protection against this can be vital.
- Not always included but should be an essential part of your cyber protection. Can include;-
- Extortion (ransom or DdoS attacks)
- Funds Transfer Fraud
- Telephone Fraud/Telephone hacking
- Social Engineering (fake invoicing, Fake Director, Phishing, etc)
Whilst most generic cyber policies can cover you for the features detailed above, businesses must also be aware of potential cover gaps which can include but are not limited to:
- Dependent Business Interruption – Many businesses rely on third party suppliers, such as cloud storage, software as a service (SaaS) or managed Service providers. A breach within these businesses can have a serious impact on the income of businesses they supply too.
- Bricking/computer replacement – This could arise from operational error (failed firmware updates) or as a result of a cyber security incident.
- Payment Card Liability – Cover against PCI fines, expenses and costs for breach of merchant services agreements.
- Media Liability – website & social media posts resulting in third party claims for defamation, libel, slander, emotional distress infringement of copyright; trademark, etc
Hayes Parsons Insurance Brokers
Hayes Parsons has been working within the commercial sector for over 50 years. We understand that each business has different requirements and can create you a bespoke cyber insurance policy to protect you from the threats in the digital age. We have dedicated cyber trained experts who would be delighted to have a chat with you about your insurance arrangements. If you want to find out more about how cyber insurance can protect your business, please get in touch with our cyber expert using the following contact details: