Daines Kapp Insurance Brokers Ltd
Daines Kapp House,
4 Baldock Street,
Ware, Hertfordshire, SG12 9DZ
T: 01920 484844
If you transfer funds to a fraudster, or are subject to a ransom demand to unlock your systems, or have a claim made against you for breaching data, what would you do and who would you call? Cyber insurance is your 999 cyber emergency service.
Cyber Insurance is protection for your intangible assets, acting as a modern-day crime policy. Crime has shifted from the physical to the electronic, and a cyber insurance policy exists to address these risks.
In the event of a cyber incident, the ‘Incident Response Service’ provides you with immediate access to a range of IT specialists, such as in forensic IT, cyber security, legal, compliance, as well as niche areas such as ransom negotiation, where required.
Some insurers also include preventative services, scanning your IT network pre-emptively to search for vulnerabilities or breaches, and notifying you with guidance as to how to rectify the identified issues.
Interested in more information? Read our Cyber Insurance Buyer’s Guide here.
Almost every business will have a cyber exposure.
Many businesses have operational risks, whereby a cyber incident could stop or reduce its ability to operate. Malicious attacks against a business whereby unauthorised access is gained by the attacker is the most commonly associated cyber claim, resulting in an operational exposure (read about protecting your business from cyber attacks here). However unauthorised access does not need to be gained for there to be an operational impact. Distributed Denial of Service attacks do not require any unauthorised access but can prevent a businesses from trading. In addition, there need not be a malicious event to cause an operational impact. A failed IT upgrade can have huge ramifications and bring a businesses trade to a halt.
Informational risks are also significant exposures to business. Breaches of data confidentiality, such as leaving a laptop on a train or sending an email to the wrong person, are common data related incidents. Similarly, data becoming corrupted or unavailable due to a range of reasons, including accidental deletion, are key data risks to businesses.
There can even be physical risks arising from cyber issues, from the need to replace unusable IT hardware following a cyber-attack, to damage being caused due to the malfunction of machinery (for instance damage caused due to the inability to shut down a blast furnace).
These are known as cyber triggers, and can broadly classified into three categories.
This primarily includes unauthorised access to your IT network. It also includes malicious attacks against your network where unauthorised access has not been gained (Distributed Denial of Service attacks).
Data security breaches are some of the most common cyber incidents. Examples include misplacing confidential data/IT or sending an email to the wrong person. The policy also responds to privacy law breaches, such as mis-use of data, as well as regulatory investigations and prosecutions, including legal defence costs.
As standard a cyber policy covers the businesses own network and data, however many businesses rely on third party outsourced service providers for parts of their IT infrastructure. Some of the better cyber policies offer cover for cyber events affecting external networks and data, which we’d always recommend where available.
Similarly, the policy can be extended to cover human error or system failure. These are losses caused by a businesses own error or system failure, such as a failed IT upgrade. It’s an important coverage given the majority of claims do not involve any unauthorised access or malicious attack.
Cyber extortion, otherwise known as ransomware, are some of the most costly cyber claims to affect businesses and regularly exceed £100,000, however are not always included as standard.
Coverage can also be extended to cyber crime exposures. This would include theft of money, typically from a bank account, as a result of a security breach. Most importantly, it encompasses financial transfer fraud (also known as social engineering fraud) whereby phishing emails attempt to encourage a business to transfer its funds to an unintended third party, typically by pretending to be someone they are not.
The coverage provided under a cyber insurance policy can be split into two groups of covers.
Third party covers, whereby the business is covered for against claims made against them, as a result of the cyber incident, and first party covers, where the business is covered for its own losses.
First party losses can include:
Third Party Losses can include:
There are a range of reasons businesses do not currently purchase cyber insurance. Below we seek to dispel some common misconceptions and explain why, if you don’t already, your business probably ought to be purchasing cyber cover.
One of the most common beliefs is that hackers only target large, multinational public companies. However, that couldn’t be further from the truth. One of the main UK cyber insurers CFC has reported that 86% of all of their cyber claims were targeted at businesses with a turnover of less than £50m. Furthermore, the 2022 Government DCMS Cyber Breaches Report identified that over 1/3rd of businesses with less than 10 employees reported suffering a cyber incident in the previous 12-month period.
There is sound reasoning behind this strategy. Cyber criminals are opportunists, and therefore target businesses which are vulnerable, not valuable. Imagine a petty criminal walking down a street trying the car door of every vehicle until they find one which is unlocked. A cyber criminal is no different, if they stumble across a vulnerability, it will be exploited.
Consequently, there is no business too small to require cyber insurance.
It may be a surprising to many to learn that the majority of cyber claims do not involve any data.
Ransomware attacks are some of the most costly type of cyber incident and doesn’t require any data in order to be targeted. In fact, ransomware is the opposite of data breaches, locking you out of your IT system rather than disclosing confidential data.
The most frequent form of cyber claim is Financial Transfer Fraud (Social Engineering Fraud). This is where phishing emails attempt to encourage a business to transfer its funds to an unintended third party. Notably, this cyber risk does not involve any data. Any business making wire transfers (ie. BACS), therefore has a cyber exposure.
It is also worth bearing in mind that even if a business does not hold or process customer data, employee data still brings with it data liabilities.
Cyber insurer CFC has stated that 75% of their cyber claims relate to human error, such as clicking malicious links of falling victim to Financial Transfer Fraud (Social Engineering Fraud). Therefore, most cyber incidents do not involve someone ‘breaking in’ past the IT defences, rather the issues are most commonly caused by internal errors.
Regardless, even the best security will never be enough to be 100% secure. As new cyber defences are implemented, cyber criminals find innovative ways round them, for which new defences are mounted, and so the cycle increases. By way of example, in early 2023 was a sharp increase in Multi-Factor Authentication being bypassed by cyber criminals.
There is a misconception that simply because a business has robust IT defences means that there is no place for cyber insurance. However, this stance does not exist for virtually any other area of insurance. Where a property as a fire alarm and a sprinkler, protecting against the risk for fire, the owner still elects to purchase fire insurance, should these protections fail. The same deductions ought to apply for cyber security and insurance; simply because there are defences and precautions in place, does not mean they are infallible and insurance isn’t needed.
Just because you have outsourced your IT doesn’t mean you are not responsible. As the data was provided to you, but you outsourced some IT functionality, you are responsible for any breaches. Your customers will claim against you for a breach of their data confidentiality.
Commonly Cloud Service Providers (ie. Amazon) and Managed Service Providers (your external IT company) don’t accept liability to you. Instead, they often have a total exclusion for any losses, including consequential losses (ie. your loss of revenue following downtime). Therefore, the liability for data breaches and exposure of potential lost revenue for system downtime rests with you, even if you were not at fault. That said, a cyber policy can protect you from such losses.
This is one of the easiest misconceptions to debunk. Cyber Insurance has the highest claims acceptance rate (99%) of any line of business.
Many policies not only accept actual cyber events, but also threatened cyber events and even suspected cyber events.
Often, policies will also have £0 excess for the initial 48-72 hours during a cyber response.
This misconception has been derived from non-cyber policies, for instance building insurance policies, which historically had a little cyber cover inadvertently included, meaning there may have only been partial cover for a cyber claim. Pure cyber policies do not have this issue.
That said, cyber insurance policies are relatively complex in nature, with a number of optional extensions. It is important to engage with an informed cyber broker to ensure the policy implemented comprehensively protects the business.
Ultimately, the premium is commensurate with the risk of a cyber incident. If the premium is higher than you expect, that is potentially indicative of the true cyber exposure to your business.
For many businesses, cyber is the single greatest threat to their operations. It is therefore not surprising that the premium will account for a reasonable proportion of the overall insurance expenditure.
In reality it needs a shift in thinking to protect not just the tangible but also the intangible.
Daines Kapp Insurance Brokers Ltd
Daines Kapp House,
4 Baldock Street,
Ware, Hertfordshire, SG12 9DZ
Daines Kapp Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Our FCA Register number is 305208. You can check our status at www.fca.org.uk/firms/systems-reporting/register or by contacting the FCA on 0800 111 6768.
© Daines Kapp | Privacy Policy | Terms of Business | Complaints Procedure