What is Cyber Insurance?

Cyber Insurance is protection for your intangible assets, acting as a modern-day crime policy. Crime has shifted from the physical to the electronic, and a cyber insurance policy exists to address these risks.

In the event of a cyber incident, the ‘Incident Response Service’ provides you with immediate access to a range of IT specialists, such as in forensic IT, cyber security, legal, compliance, as well as niche areas such as ransom negotiation, where required.

Some insurers also include preventative services, scanning your IT network pre-emptively to search for vulnerabilities or breaches, and notifying you with guidance as to how to rectify the identified issues.

What are my Cyber risks?

Almost every business will have a cyber exposure.

Many businesses have operational risks, whereby a cyber incident could stop or reduce its ability to operate. Malicious attacks against a business whereby unauthorised access is gained by the attacker is the most commonly associated cyber claim, resulting in an operational exposure (read about protecting your business from cyber attacks here). However unauthorised access does not need to be gained for there to be an operational impact. Distributed Denial of Service attacks do not require any unauthorised access but can prevent a businesses from trading. In addition, there need not be a malicious event to cause an operational impact. A failed IT upgrade can have huge ramifications and bring a businesses trade to a halt.

Informational risks are also significant exposures to business. Breaches of data confidentiality, such as leaving a laptop on a train or sending an email to the wrong person, are common data related incidents. Similarly, data becoming corrupted or unavailable due to a range of reasons, including accidental deletion, are key data risks to businesses.

There can even be physical risks arising from cyber issues, from the need to replace unusable IT hardware following a cyber-attack, to damage being caused due to the malfunction of machinery (for instance damage caused due to the inability to shut down a blast furnace).

What does a Cyber Policy respond to?

These are known as cyber triggers, and can broadly classified into three categories.

Cyber Events

This primarily includes unauthorised access to your IT network. It also includes malicious attacks against your network where unauthorised access has not been gained (Distributed Denial of Service attacks).

Data Events

Data security breaches are some of the most common cyber incidents. Examples include misplacing confidential data/IT or sending an email to the wrong person. The policy also responds to privacy law breaches, such as mis-use of data, as well as regulatory investigations and prosecutions, including legal defence costs.

Other Events & Extensions

As standard a cyber policy covers the businesses own network and data, however many businesses rely on third party outsourced service providers for parts of their IT infrastructure. Some of the better cyber policies offer cover for cyber events affecting external networks and data, which we’d always recommend where available.

Similarly, the policy can be extended to cover human error or system failure. These are losses caused by a businesses own error or system failure, such as a failed IT upgrade. It’s an important coverage given the majority of claims do not involve any unauthorised access or malicious attack.

Cyber extortion, otherwise known as ransomware, are some of the most costly cyber claims to affect businesses and regularly exceed £100,000, however are not always included as standard.

Coverage can also be extended to cyber crime exposures. This would include theft of money, typically from a bank account, as a result of a security breach. Most importantly, it encompasses financial transfer fraud (also known as social engineering fraud) whereby phishing emails attempt to encourage a business to transfer its funds to an unintended third party, typically by pretending to be someone they are not.

Cyber Coverage

The coverage provided under a cyber insurance policy can be split into two groups of covers.

Third party covers, whereby the business is covered for against claims made against them, as a result of the cyber incident, and first party covers, where the business is covered for its own losses.

First party losses can include:

• Breach Costs / Incident Response Services – This is basically the ‘investigation’ costs. It covers the costs of technical experts to immediately step in following a ‘trigger’, investigate the issue, resolve the issue and get systems back up and running.
• Experts may include:
  • Forensic analysts to trace where the issue has come from / what has been compromised
  • Cyber security engineers to identify how to secure the network
  • Ransom negotiators
  • Business resumption specialists
  • Data breach solicitors to advise on the legal position
  • Crisis communication specialists
• Business Interruption – covers your business for loss of revenue, or increased costs, following an insured ‘trigger’ (see What does a Cyber Policy respond to? Above)
• Ransom/Extortion – an attempt to recover systems, failing which negotiation and settlement, of a ransom demand.
• Crime Financial Loss – such as theft of money from a bank account as a result of a security breach, or financial transfer fraud (social engineering fraud) whereby phishing emails attempt to encourage a business to transfer its funds to an unintended third party, typically by pretending to be someone they are not.

Third Party Losses can include:

• Cover for claims made against the business due to the cyber event or data event
• Regulatory Fines and Penalties (where insurable)
• Defence Costs ie. in relation to fines, penalties or claims, such as data breach claims.
• Payment Card Industry Data Security Standard claims

Why your business really needs to consider cyber insurance

There are a range of reasons businesses do not currently purchase cyber insurance. Below we seek to dispel some common misconceptions and explain why, if you don’t already, your business probably ought to be purchasing cyber cover.

‘We’re too small’

One of the most common beliefs is that hackers only target large, multinational public companies. However, that couldn’t be further from the truth. One of the main UK cyber insurers CFC has reported that 86% of all of their cyber claims were targeted at businesses with a turnover of less than £50m. Furthermore, the 2022 Government DCMS Cyber Breaches Report identified that over 1/3^rd of businesses with less than 10 employees reported suffering a cyber incident in the previous 12-month period.

There is sound reasoning behind this strategy. Cyber criminals are opportunists, and therefore target businesses which are vulnerable, not valuable. Imagine a petty criminal walking down a street trying the car door of every vehicle until they find one which is unlocked. A cyber criminal is no different, if they stumble across a vulnerability, it will be exploited.

Consequently, there is no business too small to require cyber insurance.

‘We don’t collect data’

It may be a surprising to many to learn that the majority of cyber claims do not involve any data.

Ransomware attacks are some of the most costly type of cyber incident and doesn’t require any data in order to be targeted. In fact, ransomware is the opposite of data breaches, locking you out of your IT system rather than disclosing confidential data.

The most frequent form of cyber claim is Financial Transfer Fraud (Social Engineering Fraud). This is where phishing emails attempt to encourage a business to transfer its funds to an unintended third party. Notably, this cyber risk does not involve any data. Any business making wire transfers (ie. BACS), therefore has a cyber exposure.

It is also worth bearing in mind that even if a business does not hold or process customer data, employee data still brings with it data liabilities.

‘We invest in our IT’

Cyber insurer CFC has stated that 75% of their cyber claims relate to human error, such as clicking malicious links of falling victim to Financial Transfer Fraud (Social Engineering Fraud). Therefore, most cyber incidents do not involve someone ‘breaking in’ past the IT defences, rather the issues are most commonly caused by internal errors.

Regardless, even the best security will never be enough to be 100% secure. As new cyber defences are implemented, cyber criminals find innovative ways round them, for which new defences are mounted, and so the cycle increases. By way of example, in early 2023 was a sharp increase in Multi-Factor Authentication being bypassed by cyber criminals.

There is a misconception that simply because a business has robust IT defences means that there is no place for cyber insurance. However, this stance does not exist for virtually any other area of insurance. Where a property as a fire alarm and a sprinkler, protecting against the risk for fire, the owner still elects to purchase fire insurance, should these protections fail. The same deductions ought to apply for cyber security and insurance; simply because there are defences and precautions in place, does not mean they are infallible and insurance isn’t needed.

‘We outsource our IT’

Just because you have outsourced your IT doesn’t mean you are not responsible. As the data was provided to you, but you outsourced some IT functionality, you are responsible for any breaches. Your customers will claim against you for a breach of their data confidentiality.

Commonly Cloud Service Providers (ie. Amazon) and Managed Service Providers (your external IT company) don’t accept liability to you. Instead, they often have a total exclusion for any losses, including consequential losses (ie. your loss of revenue following downtime). Therefore, the liability for data breaches and exposure of potential lost revenue for system downtime rests with you, even if you were not at fault. That said, a cyber policy can protect you from such losses.

‘Cyber claims don’t get accepted’

This is one of the easiest misconceptions to debunk. Cyber Insurance has the highest claims acceptance rate (99%) of any line of business.

Many policies not only accept actual cyber events, but also threatened cyber events and even suspected cyber events.

Often, policies will also have £0 excess for the initial 48-72 hours during a cyber response.

This misconception has been derived from non-cyber policies, for instance building insurance policies, which historically had a little cyber cover inadvertently included, meaning there may have only been partial cover for a cyber claim. Pure cyber policies do not have this issue.

That said, cyber insurance policies are relatively complex in nature, with a number of optional extensions. It is important to engage with an informed cyber broker to ensure the policy implemented comprehensively protects the business.

‘It’s too expensive’

Ultimately, the premium is commensurate with the risk of a cyber incident. If the premium is higher than you expect, that is potentially indicative of the true cyber exposure to your business.

For many businesses, cyber is the single greatest threat to their operations. It is therefore not surprising that the premium will account for a reasonable proportion of the overall insurance expenditure.

In reality it needs a shift in thinking to protect not just the tangible but also the intangible.