Cyber insurance: the key facts
Here’s all the important info you should know about cyber liability insurance
Modern day business has invested heavily in the cyber market, but as with anything that relies on computing and the internet it has found itself vulnerable to a new and ever-changing threat. There are however many measures you can put in place to protect your company from cyber-attacks, and cyber insurance can offer you a safety net should the worst happen.
What is cyber insurance?
Cyber insurance is cover you take out in case your business becomes the victim of a cyber-attack – for example if a piece of malware infects your computer system, or a breach in security leads to a massive data theft. These attacks can have drastic consequences, especially for smaller companies who may not have the budget to cope with the potential damage.
Who needs cyber insurance?
Most modern businesses need cyber insurance, as many companies conduct a significant proportion of their activity using a computer system or the internet. While this has made communication and connectivity much easier and more convenient, it also means that the entire infrastructure of a business might be vulnerable to cyber threats, both externally and internally. Therefore you should seriously consider cyber insurance if your business:
Relies on a computer system
Has a website
Uses online software
Holds electronic data about your customers, clients, employees or anything else
What does cyber insurance cover?
Cyber insurance coverage can include compensation for a variety of costs related to cyber security, ranging from technical fixes to future preventative measures and reputational repair. However, the coverage you receive will depend on your provider and their specific policy details.
A good cyber insurance policy should include cover for:
Monitoring and notification – while some businesses may have a cyber-security system in place, smaller enterprises might benefit from a monitoring and notification set up so they can be aware of any changes in status. Insurers can sometimes provide this as part of their policy package.
Investigation cover – in the event that your computer system does become compromised, your insurer might be able to cover the cost of the investigation into the issue.
Business disruption – as many companies depend on their cyber infrastructure in order to conduct business, an attack could possibly cause a huge disruption. With cyber insurance you may be compensated for any financial loss your business incurs as a result.
IT services – in order to begin your recovery after an attack, you will likely require a number of IT related services to get your business up and running again. While these can be costly, a good cyber insurance policy should provide compensation.
Data services – when your data has been compromised you’ll possibly also need data services in order to restore and/or recreate any lost information, and you may also be compensated for this expenditure.
Liability – cyber security breaches can often be followed by fines and lawsuits relating to lost customer or client data, especially with the new GDPR that came into force in May 2018. Taking out cyber insurance means you might find cover for the financial hit.
Public relations – the fallout from a cyber-attack may involve a certain amount of public image repair, and the PR costs associated with this can sometimes also be covered by a cyber insurance policy.
Employee education and coaching – to prevent further cyber-attacks in the future, your insurer may also cover the cost of educating your staff in the best practices for cyber security. This can be particularly important due to the ever-changing nature of cyber-attacks.
Security services – insurers might also contribute to the cost of installing a new or upgraded cyber security system, as a further preventative measure.
Cyber insurance can also provide cover for incidents relating to your business’s data and computer systems, but that aren’t as a result of a malicious cyber-attack. These can include:
System failure – if your computer system fails as a result of something non-malicious, such as a power cut or power surge, overheating, or a natural disaster, your insurer may compensate you for the costs of repair and restoration.
Copyright infringement – companies with a digital presence might also find themselves inadvertently infringing on copyright, for example using an image without permission. Some insurers can also provide cover for costs related to this.
Hardware and devices – any devices used by your business, such as laptops, phones, and storage devices, can sometimes also be included in coverage in case they are damaged, lost, or stolen.
Things to be aware of when buying cyber insurance
Some cyber insurance companies may have certain criteria you need to meet in order to qualify for cover – this is to ensure you are well protected in case of an attack, therefore potentially helping to reduce the likelihood of you having to claim. These requests can be categorised as:
You may have to create a cyber-risk profile to show insurers exactly what your current situation is regarding cyber security and protection, so they have a good idea of your vulnerabilities and what you might be more likely to claim for. This also might include a list of potential expenses you would require if you were the victim of a cyber-attack, and any related service costs for third parties such as outsourcing investigations and data/network services.
Best practice employment
You could also be required to show that your company and its employees follow recommended best practices concerning cyber security. This can mean:
Reactionary policies, including different means of monitoring and alarm systems.
Security measures, for example anti-virus and threat scanning software.
Employee education about possible risks involved and the correct behaviour to reduce these risks.
For example, half of all businesses that experienced a cyber-security breach in 2015 provided funds for additional staff training, while 47% implemented changes to existing systems in place, and just under 40% altered their policies and procedures regarding cyber-attacks
Tips for buying cyber insurance
Taking out cyber insurance is an important step for modern businesses, but it can pay to consider the following before you buy:
Access and response – cyber-attacks can happen at any time, so it’s good to make sure if you’ll be able to contact your insurer immediately if something should happen. This means they can provide the appropriate response as soon as possible.
Standalone vs existing policy – it’s a good idea to check whether your provider’s cyber insurance package is a standalone policy, as these can sometimes offer more comprehensive cover than an extension to an existing policy – for example, an additional extra for business insurance.
Additional coverage – you should also check what level of coverage is included as standard and what you might need to take extra policies out for, so you know you’re covered for all possible cyber-related issues.
Targeted attacks vs collateral damage – some insurers might distinguish between a deliberate attack on your business and a wider-ranging attack in which you were collaterally damaged. As the consequences can be serious regardless of whether you were targeted or not, it’s best to make sure you’ll be covered for both.
Non-malicious action taken by employees – If the attack on your computer or network system wasn’t actually an attack but a mistake made by your employee, this may not come under standard cover. It’s best to make sure with your insurer if it’s something included or offered as an optional extra.
Time frames for coverage – the cover you take out from some insurers may only be valid for a certain time period, making it important to check exactly how long your policy will last so you can renew or take out a new one in time. You should keep in mind that auto-renewal can sometimes mean that your premium price also rises automatically.
Will extra security controls reduce premiums – installing extiptra security measures and practices could show insurers that you’re at a lower risk of claiming for cyber insurance, which could in turn reduce your premium payments – ask your insurer to be sure if this is something they will do.
How will claims affect future premiums – It’s also worth asking how making a claim will affect your premiums, as often but not always your premium price will increase if you do. Conversely, your insurer may also lower premiums if you don’t make any claims in a given period of time.
Will the policy stay up to date – as the nature of cyber threats and computer technology are constantly evolving, it’s understandable that cyber insurance policies need to change regularly to keep up. Ask your insurer if this means you’ll have to renew your policy or if it’s done automatically, as it could make a difference to whether you’re covered for the latest cyber threats.
Comparing cyber insurance
Having protection against cyber threats in place is important, however they can sometimes be unavoidable. If you or your company falls victim to a cyber-attack, having cyber insurance can be a good way to limit the damage done – not only can it ease the financial burden of getting your business back on track, it can also help you prepare for future attacks so they don’t have the same impact.
You should remember to shop around and compare cyber insurance before buying, as this is the best way to find a policy that matches your exact needs without paying over the odds. Insurers will ask about your company’s current situation regarding cyber threats, so it can be useful to do a self-risk assessment so you know what to look for in a cyber-insurance deal.