There are a rising number of threats to the operation of our businesses in today’s modern and connected world, to the security and safety of assets, personal and corporate data and intellectual property rights. News of hacks and data breaches of major companies such as TalkTalk, the NHS, Debenhams, Wonga, Equifax and Uber make the main headlines. However, smaller companies are in reality, just as likely to be impacted by a cyber-attack, compromising confidential data or business models, stealing funds or mis-programming essential equipment.
There are many companies, particularly small and medium enterprises (SMEs) that believe they are immune yet the National Cyber Security Centre 2017 Cyber Security Breaches Survey reports 46% of small businesses and 66% of medium enterprises suffered at least one cyber-attack over the 12 month period reviewed.
The size and variety of businesses at the SME level make them a natural target for cybercrime and fraud, as companies often hold customer data with lower levels of protection than major corporations.
Focus on managing exposure to cyber risks for example; checking the suitability of firewalls, briefing staff on cyber security best practice, updating malware protection are all now key to business survival. The insurance industry is playing an important role in supporting prudent businesses of all sizes to both improve their resilience to cyber-attacks and to help them recover if the worst should occur.
Read on for our list of what to look for in a cyber insurance policy when considering protection for your business:
Six Key Areas in Cyber Insurance Policies
- “Hacker Damage”/ Digital Asset Replacement Expenses
This covers loss or damage inflicted by a hacker on digital assets. It essentially provides protection against alteration of data, corruption and protection against loss. It can also cover the misuse of computer programmes or systems.
Asset replacement expenses are particularly relevant for firms that rely on online business models or on automated manufacturing systems where a hack could inflict significant damage to business operations.
- Privacy Breach Costs
This is one of the most important sections to look out for in a cyber policy. It can sometimes be found under separate clauses as Privacy Liability and Breach Costs
“Privacy Liability” will provide protection against claims received for infringement of privacy and associated legal costs in the event of a breach. This cover can usually provide for payments to claimants and the legal and regulatory defence costs arising from a privacy breach.
This type of cover is important for businesses that handle or store any personal information from or on behalf of, their customers.
“Breach Costs” cover your business for costs resulting from dealing with a security breach. Examples include;
- IT forensic costs;
- the cost of notifying customers of a cyber breach;
- hiring a call centre to answer customer enquiries;
- any resulting legal fees/ costs;
- the costs of responding to regulatory bodies;
- public relations advice;
- Cyber Business Interruption Loss
This is a core cover available across all cyber insurance policies. This section provides cover for your loss of income resulting from an interruption to business operations caused by a cyber-attack or IT failure. Cover is provided for the duration of the interruption subject to the policy indemnity period and includes provision for increased costs of conducting business after the attack.
This may be a vital safety net to the business as you look to recover your normal working pattern. It is also important to note that Business Interruption arising from a cyber-attack or IT failure is specifically excluded under standard Commercial Combined insurance policies.
- Cyber Extortion
This protects your business from ransomware and other malicious attempts to take control of, and withhold access to, your personal or operational data until a fee is paid. Typically this clause will reimburse payment of the ransom amount demanded by the attacker and extend to include any consultant’s fees to oversee negotiation and transfer of funds in response to the ransom request. This is a standard clause in most insurance policies. It is growing in importance as more businesses move online and the use of ransomware rapidly increases.
A Google-led study with inputs from the University of California San Diego (UCSD), New York University (NYU) and Chainalysis researchers reports that ransomware has accrued over 25 million dollars from victims since 2016*.
Note: paying an attacker to unlock your systems should not be the first course of action. It is vital that the matter be reported to the police in the first instance. You should also speak with your insurer to establish the conditions for them paying any cyber extortion expenses.
Once a ransomware attack has been resolved, focus should be turned to repairing the breach and bolstering security.
- Media Liability
Provides cover for claims made against the business leading from your digital media presence for libel, slander, defamation or infringement of intellectual property rights, invasion of privacy or domain name infringement.
This sections is particularly recommended to companies that rely on the transmission of digital data via email or a website, on a large social media or digital content creation business model, or companies whose sites features a significant amount of advertising that may lead to a liability.
- Cyber Forensic Support
Some insurers include this cover as a stand-alone clause. Some will provide the cover under the heading of Breach Costs as explained earlier in item 2.
Most policies offer 24/7 support from insurer approved cyber specialists in the period following a hack or data breach. These specialists work to assess your systems, identifying the source of any breach and suggest preventative measures for the future. They can also be called upon to offer support advice and assistance on short notice in the event of a suspected data breach or attack to investigate whether a breach or attack has occurred and if so, to what extent and work towards mitigating any loss suffered.
IT Forensics are often included as a triage service alongside panel legal advisors that specialise in cyber events and data breaches and Public Relations specialists who will actively work with policyholders to help minimise any loss or possible damage to your business. This additional support can include advice on your legal, regulatory requirements as well as what steps to take to notify your customers of a data breach.
These cyber response and support services and cover for reasonable costs incurred against provision of these service are arguably one of the most valuable benefits available under a cyber policy.
A good policy will provide access to specialist service providers in addition to reasonable costs to engage their services rather than covering costs in isolation.
Notable Cyber Policy Exclusions
As is the case with all insurance policies, reviewing policy exclusions is equally important as reviewing the policy cover and benefits. Many of the exclusions appearing in a cyber policy can be found in other types of policy. Below we have listed some of the exclusions more particular to cyber insurance.
Failure to put right
Any failure to put right defective systems, procedures or software where the existence of defects, deficiencies, or vulnerability to attack has been identified will invalidate a policy.
Check which territories a cyber policy applies to. Policies purchased in the UK usually include territories in the European Union and much of the rest of the world in their cover. The United States and Canada are often excluded but may be accommodated on referral to insurers.
“Bodily Injury and Property Damage”
Digital Asset Replacement clauses reimburse policyholders for the costs to restore the data or replicate it to the same level that it was prior to the breach but cyber insurance policies will not usually cover damage to physical property or bodily injury arising from a cyber incident.
“Crime vs Cyber Insurance”
Cyber insurance will protect and reimburse your business in the event of loss of data as well as providing the necessary support for legal, notification and other costs in the event of a breach. Only certain cyber polies containing a specific crime section however, will provide reimbursement for a financial loss (such as a hacker stealing money from a bank account). This would otherwise be more specifically covered under a crime insurance policy.
We work with specialist insurers who provide Cyber coverage and we will work with you to identify which cover suits your business needs. If you want to find out more about Cyber insurance, you can speak to one of our team today.