What is cyber insurance and do you really need it?
Posted on February 1, 2023 by Louise Howland
A cyberattack on a company’s computer network and system could cause widespread disruption, operational downtime, financial loss, legal action and reputational damage. Cyber insurance will offset costs and damages that can be incurred following a cyberattack and acts as a breach response service helping, you to get back on your feet.
There are a number of steps you can take to limit the risk of a cyberattack and safeguard your business from cybersecurity audits to cybersecurity monitoring. However, cyber insurance provides an extra layer of protection for your organisation in a worst-case scenario.
Explore what cyber insurance is and what a policy would cover below.
What is cyber insurance?
Cyber insurance is a specialist insurance cover designed to protect a business in the event of a malicious cyberattack or serious data breach.
Cyber insurance is one of the fastest-growing areas of insurance cover due to both greater reliance on technology and increasing levels of cybercrime. With cybercriminals constantly devising new ways of breaching cyber defences, cybersecurity needs to continually develop in response to this.
The latest UK government Cyber Security Breaches Survey shows that almost one-third of businesses (and 24% of charities) have suffered cyber breaches or attacks in the last 12 months.
Over the same period, the UK’s cyber watchdog, the National Cyber Security Centre (NCSC) also removed a staggering 2.1 million commodity attacks which are high-volume, low-sophistication attacks usually involving phishing and other scams targeting citizens and small businesses.
What exactly does a cyber insurance policy cover?
The loss of data or funds through malicious or accidental means, along with the grim prospect of technology or system failure, can be catastrophic and hugely expensive for any organisation.
In the event of a cyberattack, cyber insurance provides a business with cover for the financial losses sustained by a cyber breach in addition to liability for any damages a third party may also attempt to claim. There is a diverse range of cyber insurance products and not all policies are the same. However, the majority of policies generally cover:
- Business disruption: Lost profits and increased costs due to systems or networks being down or encrypted following a cyberattack.
- Dependent business interruption: Lost profits and increased costs due to systems or networks being down because of third-party failure from a cloud provider or other key service the company is dependent upon.
- Data retrieval costs: The cost of retrieving and restoring data and information following a cyberattack.
- Digital and data asset destruction: The loss of data stored on tapes, hard disks, and other electronic media.
- Social engineering: Costs incurred when employees are deceived into divulging information leading to criminal activity.
- Response and remediation: The cost of resolving and remedying a cyberattack including credit monitoring and public relations support to limit damage to the brand or reputation of the company.
- Notification costs: The cost of identifying and notifying data subjects about a data breach – often a demand of the Information Commissioner, the UK’s data regulator.
- Forensics: The cost of hiring forensic cyber experts to analyse the cause of a breach and the damage caused.
- Legal costs: incurred in dealing with the regulator, litigious data subjects and other third parties.
- Extortion: Though rare, insurers will pay extortion costs in the event of a ransomware attack where all parties believe payment of the ransom is the most efficient way to end the cyberattack.
- Fines & Penalties: Insurance also meets the cost of civil fines and penalties arising from a cyber event.
What does cyber insurance not cover?
There are certain situations where cyber insurance does not provide cover. These include loss, loss caused by cyber warfare, any event where an insurance payout would breach international sanctions or attacks on core elements of the internet that result in a national or global outage of the internet.
Who needs cyber insurance?
Cyber insurance is valuable for a wide range of businesses and charities, regardless of their size or industry. Any organisation that uses technology, stores sensitive information, and relies on digital operations can benefit from cyber insurance. Cyber insurance cover should be taken out by any organisation that:
- Stores, uses or sends business-critical information and personal data such as names, addresses, banking details and passport numbers
- Uses eBanking facilities to move money
- Has its own website
- Is reliant on digital technology to conduct everyday business activities
- Adheres to Payment Card Industry (PCI) standards
The importance of cyber insurance for businesses was highlighted in an IBM report which revealed the average cost of a data breach is now USD 4.45 million in 2023, a 15% increase over 3 years. As a result, effective risk management is a growing priority and cyber insurance remains one of the most effective ways to mitigate losses.
Despite the clear benefits of cyber insurance, only 43% of UK businesses were protected by a cyber insurance policy according to the government’s Cyber Security Breaches Survey 2022, leaving themselves exposed to costly cyberattacks and data breaches.
In addition to cyber insurance, UK businesses also have a legal responsibility to protect data and sensitive information belonging to customers and individuals under the Data Protection Act. Businesses found in breach of this duty are subject to a variety of sanctions, including being fined up to 4% of their turnover.
Find the right cyber insurance for your business
There is a wide range of cyber insurance policies available depending on the level of protection a business requires. Businesses should weigh up a number of factors before deciding which policy is right for them, including their risk profile and the damage a data breach would cause them and their stakeholders.
The sensitivity of data held by a business should also be taken into account. For example, damage caused by a data breach is likely to be worse if it involves the theft of sensitive personal information such as healthcare data, and financial details such as bank account or payment card information.
Many cyber insurance companies will require that businesses and organisations take vital steps to mitigate the risk of a cyberattack or data breach by enhancing their human firewall or investing in cyber awareness training for their employees.
ramsac and Partners&
We are very proud to be partnering with Partners&, to bring specialist insurance advice to our clients. Partners& is a next-generation insurance advisory business. With access to specialist advisers, Partners& help organisations map the risks facing their business and implement practices that protect the organisation. Providing a seamless approach to risk management, insurance and claims ensures organisations receive the most efficient protection.
Strengthen your cybersecurity defences with ramsac
Cybersecurity breaches are one of the main threats in today’s business landscape. Protect your organisation from cyber threats by contacting us today.