Cyber insurance is important because no matter how diligent businesses and organisations are, cybercriminals will not cease targeting them. A 2021 nationwide Government survey into cybersecurity in the UK found almost four in 10 businesses (39%) and 26% of charities suffered a cyber attack in the previous 12 months. Medium and large businesses are often the most targeted, according to the 2021 Cyber Security Breaches Survey.
Phishing – where scammers hack someone’s database to send emails, texts or other communication in a bid to steal their contacts’ sensitive information – was the most common form of attack. Of those that reported falling prey to cybercriminals, 83% of businesses and 79% of charities said they were victims of a phishing attack. This was followed by impersonation, with more than a quarter (27%) of victims reporting to have had their accounts hacked and used by fraudsters.
Insurance experts NimbleFins say: “In addition to providing financial support to offset costs of cybercrime, cyber insurance can also help with reputation management and providing expertise help to deal with the incident. In fact, in many cases, a business gets multiple benefits from their cyber insurance if they are attacked.
“The wider range of expert coverages is heavily utilised as well, with more than half of claims involving help with incident response, forensic analysis and reputation management.”
The average cost of a security breach was reported to be about £8,460, with this increasing to £13,400 for medium and large firms, the survey found. To make matters worse, about 27% of businesses and 23% of charities who are victims say they are experiencing these attacks at least once a week.
How to tell if you need cyber insurance
Any organisation that uses a computer is wise to consider whether they need cyber insurance. If a business or organisation deals with bank and credit card payments or handles sensitive information, they are especially at risk of hackers. With the introduction of GDPR laws, the risk is even more severe than losing customers as it is now easier to be prosecuted. Businesses are therefore more at risk of having to pay damages and legal costs.
Cyber insurance is not just about protecting an organisation from cybercriminals. If they have complicated and expensive computer networks that fail as a result of cybercrime, they could be left for days unable to trade. Imagine if a consumer goods website had a system malfunction the day before the Black Friday sale. The loss to the business could ricochet through the rest of the financial year. Some cyber insurance packages include business interruption coverage, which can reimburse the company for its lost revenue and any extra costs.
Cyber insurance is being taken out by an increasing number of organisations as more move online and becomes aware of the risks. The introduction of the GDPR laws and risk of non-compliance claims has seen more organisations implement basic cybersecurity measures, the Government says. However, the good news is that the proportion of organisations being negatively impacted by a cyberattack is gradually reducing.
So those that use a computer network, handle sensitive data, or take bank and credit card payments online are especially advised by experts to take out cyber insurance. But also those that could not trade without the use of their computer would be wise to look at a package.
How much cyber insurance do I need?
The amount of cyber insurance a business needs depends on how it operates, what information it stores, the income it makes, and the cost to get the business back up and running.
Many coverages come in a cyber insurance package, and all businesses will need not all. Some may also find they have adequate coverage for some of the below issues from their other insurance policies already held.
A brief description of policy options is set out below.
Managing an attack: If the business is the victim of an attack, IT and legal experts are on hand to get the business back up and running and follow the law.
Investigation: IT experts will look into how the attack took place and how best to return to normal.
Notification costs: If sensitive data is stolen, this insurance pays the expenses involved with telling customers and clients.
Reputation management: Notifying those affected is the first step, but the second is how to restore faith in the business. This part of the insurance can help fund a PR campaign and other strategies to maintain the organisation’s reputation.
Business interruption: This invaluable policy covers the shortfall in income due to a disruption in trading. It bridges the lost income from the moment the incident took place to when everything is back to normal, plus any extra costs incurred as a result of the incident. This is one of the most commonly-held elements of cyber insurance.
Restoring computer systems: To get a business back up and running.
Recovering lost data or programmes: Putting a business in touch with specialists or funding their own to find lost documents. This is one of the most commonly-held elements of cyber insurance.
Cyber extortion: If hackers shut down systems in exchange for a ransom payment, this coverage offers advice on how to deal with the criminals. It can cover the financial demand, although this is not often advised.
Media liability: If a data breach leads to the information being published, which negatively impacts a claimant, they can sue the policy holder. This cover funds, legal costs, and damages.
Privacy protection: Funding compensation and associated legal claims if a third party’s right to privacy has been breached due to a cyber incident.
GDPR non-compliance claims: This is increasingly being offered by insurers as a specified cover, but generally means the insurers will fund defence costs if an investigation is launched into non-compliance of GDPR laws under the privacy protection element of cover mentioned above. However, it is still not clear if insurers will outright fund any fines issued for GDPR non-compliance.