Cyber insurance - does your business value its reputation?

June 13th 2023

Cyber Risk is one of the hot topics of the moment and continues its inexorable rise up the list of concerns for businesses worldwide. You only need to watch the news to know the risk of cyber threats is greater than ever before. These high profile attacks, like the recent attack on the NHS, underline how important it is for businesses to take their cyber security seriously.

The true cost of cybercrime has been estimated to be on average £300-£400bn a year globally and a recent UK government survey estimated that 81% of large corporations and 60% of small businesses suffered a cyber breach.

All businesses, from a small florist to large multinational banks, have a duty of care to keep data secure, and the ramifications of not doing so can lead to severe legal, financial and reputational damage. If your business processes sensitive data, such as credit cards, or you have intellectual property or personal information on your employees, customers or contractors, you need to consider your cyber risk.

Cyber insurance is developing rapidly to cover these risks and the range of cover in this competitive market has expanded considerably over the past few years.

Despite these developments and the news headlines, many businesses still do not purchase cyber insurance, either due to its perceived high cost, a lack of understanding of what is and isn’t covered or because they believe they will never suffer a cyber-attack.

Many large companies have been under attack in the last 3 years, including Apple, Sony, Samsung, Yahoo, Wonga and Tesco to name but a few. One would hope these companies have suitable cover in place to protect against these attacks. But it isn’t only big companies that can get attacked; recently a small local family business lost £18,000 after falling victim to a sophisticated email fraud. To put this in perspective, it is estimated that the average cost of a cyber-security breach is £600k- £1.5m. for large businesses and £65,000 - £115,000 for SMEs.

Hackers are always on the lookout for weak points in a security system and no single technology exists that will prevent a cyber-attack and, even if there were, there is always likely to be an unavoidable lag between the onset of new threats and the development of new technology to prevent it. Having a cyber insurance in place can assist with this in the event of an attack/breach.

Not only could a breach result in a loss of sensitive data and reputational damage with a business's customer base, but there is also the possibility of regulatory action and fines. With the introduction of the new data protection rules (The General Protection Regulation), there are now severe penalties for data breaches and, while this is a wider subject, all organisations need to consider this more fully. An example of where Cyber Insurance could potentially assist financially is the payment of the fine, as the maximum fine under the new law for serious breaches could potentially rise as high as €20m.

Directors of companies must also recognise the risk of cyber-related directors’ and officers’ claims. While not yet common in UK/Europe, directors in the US are facing legal action stemming from oversights in their company's cyber security and it will only be a matter of time before we see this as an emerging threat to directors here, who will be held to account over any failures of a company’s privacy and data protection policies.

It is therefore vitally important when reviewing your cyber risk and obtaining cover that you look at all the emerging cyber risks: from data breaches and network outages to corrupt data, lost customers, regulatory fines, litigation claims and cyber extortion payments. What is the function of cyber cover?

A cyber insurance policy is not a traditional insurance policy that will pay out a monetary amount in the event of a loss. The benefits it provides are much broader and in fact it is the access to expertise, advice and support that you would otherwise not have that is the real benefit.

Here are some examples of the more common insuring clauses and where they would apply:

• Data breach – Cover would be provided for losses incurred by you if you suffer from the unauthorised access, use or disclosure of personal data. Cover would generally include expenses related to the management of an incident, the investigation, the remediation, data subject notification, call management, credit checking for data subjects, legal costs, court attendance and regulatory fines.

• Multimedia/Media liability cover - If a claim is made against you arising from the content of your email, website or other electronic communications as a result of alterations made by a hacker, Insurers would pay for compensation and defence costs.

• Extortion liability- Cover is typically provided for losses due to a threat of extortion and professional fees related to and dealing with the extortion.

• Network security/Privacy liability – Cover would be provided for third-party damages as a result of breach of confidence or invasion of privacy, including public disclosure of private facts or of confidential information or intrusion into private life, or failure to maintain the security of personal data or to comply with the requirements of data protection legislation.

What steps can I take to mitigate the cyber threat?

Of course, merely purchasing cyber insurance could also give rise to a moral hazard as companies may then be loath to spend money on technology solutions and cyber controls – thus transferring their risk entirely, rather than investing in risk mitigation eorts to improve their cyber security.

It is essential for businesses to have a comprehensive risk management strategy, which involves human strategies, technology and insurance and these should encompass:

• Mapping your critical data;

• Explain and educate the importance of data security to employees;

• Ensure your antivirus software is up to date;

• Develop a cyber incident response plan;

• Ask your IT department/supplier to carry out a Cyber Risk stress test; and finally

• Purchase a Cyber Insurance cover

As the insurance is a specialist subject it is important that you speak with a broker like Network Insurance, who will listen to your concerns, understand your requirements and then approach a range of insurers to obtain terms before making a recommendation to you based on their knowledge of the products and your requirements.

If you would like to know more please contact Oliver Goater at Network Insurance & Financial Planning. Tel: +44(0)1481 701400, Email: hello@network.gg