A practical guide to Cyber Insurance
Arranging insurance can be challenging and it is never easy to know what you are getting. This is particularly true of cyber insurance, a relatively new insurance that has many cover variations, making it hard to know what benefit you are actually receiving for your premium.
One very important aspect of the protection is the incident response support you receive under a policy. Through a policy you have access to blue chip companies who manage the incident on behalf of the policyholder in respect of forensic investigation to unlocking data to PR and legal services.
Cynically operators will take advantage of firms when they are literally on their knees and knowing you have the cavalry up your sleeve to resolve issues is worth as much as the cover itself, whilst reputations are on the line.
Costs of cyber incidents
Cyber insurance started in the US, where it is a normal insurance purchase. The UK and Europe have taken longer to see the requirement of cyber insurance. The retail sector was the first to see the importance and understand the detrimental effect a cyber loss could have on online sales and the damage to reputations should personal data or credit card information be lost.
The primary cause of cyber losses comes from human error, and this is particularly true of own employees. Phishing incidents continue to rise, and it appears no matter how much eLearning takes place, the number of incidents still increases. Cyber criminals remain well-funded, have sophisticated tactics and are credible in their deceit.
According to IBM’s Costs of a Data Breach Report 2022, the average global cost of a data breach is $4.35 million (UK average $5.05m), with 83% of companies having more than one breach. Phishing incidents are costing organisations an average of $4.91m, globally and UK ransomware $1.08m. The figures exclude large multinational firms and reflect the SME and mid-market, making the numbers very real.
What information do cyber insurers require?
Quite a lot. It is important to work with a broker who can extract the right level of information to secure the right cover. It is also important to use the information to demonstrate strong security as this helps secure the best rates. Having in force multi- factor authentication, employee training, Cyber Essentials, are all areas that can support competitive terms.
What does the policy cover you for?
There are three areas designed to cover your own costs, liability to others and incident response. Consider it like a motor policy: insuring damage to your vehicle is your own costs, liability is the damage or injury for which you are responsible, and the incident response is the garage repairer.
First party cover – provides cover for the company’s own financial losses in the event of a cyber incident. This can include:
- Business interruption from downtime of system
- Extortion and, importantly, ransomware
- Customers’ notification costs
- Reputational damage
- Theft of money or digital assets (recommended as an extension)
Third party cover – provides cover for liability against the company as a result of the breach. This includes media liability, arising from defamation or infringement, network security, and privacy liability.
Insurers’ response and support services:
24/7 cyber response puts you in touch with the right specialist, whether legal, IT forensics, PR or simply a call centre to manage the event with your customers. It is these services that are so key to ensuring compliance with the regulator and upholding reputations.
Additionally, insurers can provide risk mitigation services on complimentary basis such as employee eLearning, blacklist IP blocking and infrastructure vulnerability scans.
Areas to consider when purchasing cyber cover
- Contract terms really matter in the cyber world – it is recommended that contract terms are vetted by solicitors, especially when on-boarding IT service providers. It is important to retain contractual redress as many losses are caused by vendors.
- Other cover – Elements of cyber cover can exist in non-cyber policies, such as privacy liability under employers’ or public liability covers. It is important to ensure that your insurance programme dovetails across the programme.
- Claims consideration – Bespoke insurance policies should be purchased for professional indemnity, cyber and products liability, including efficacy for specialised sectors. One insurer is recommended as a single loss could cause a professional indemnity and cyber claim.
- Keep it secret – Whilst there are no confidentiality conditions under a cyber policy (as in kidnap and ransom policies), companies should bear in mind that if a perpetrator knows a cyber with extortion cover is in place, then they may be more likely to attack an organisation and make higher demands. Cyber insurers are looking to include confidentiality clauses following recent extortion losses.
All cyber insurances policies are not made the same!
It is important that companies obtain the right professional advice on the purchase of cyber insurance. This includes making sure accurate information is shared to avoid claims being repudiated.
If in any doubt, speak to your insurance advisor.
Tina Jolliffe
Director, Consort Insurance
