The guidance on this site is based on our own analysis and is meant to help you identify options and narrow down your choices. We do not advise or tell you which product to buy; undertake your own due diligence before entering into any agreement. Read our full disclosure here.
With a recent government survey reporting that the average cost of a cyber security breach for a UK business was £4,180 in 2019 (£22,700 for larger companies), the cost of a cybercrime can be debilitating for companies both large and small. As a result, many companies include a cyber insurance policy as part of their overall business insurance coverage.
- What is cyber insurance?
- What does cyber security insurance cover?
- Do I need cyber insurance?
- What to look for in cyber insurance coverage
- How much does cyber insurance cost?
- Cyber insurance companies
- Expert FAQs
What is a Cyber Attack?
A cyber attack is when hackers maliciously damage, destroy or control computers, computer systems, computer networks or infrastructure; or steal or destroy data.
What is Cyber Insurance?
Cyber liability insurance definition: Cyber insurance can provide financial protection against cyber crimes and data breaches, and offer expert assistance with managing an incident. Here's what you need to know about cyber insurance to help you decide if it's a coverage you need for your business.
What Does Cyber Security Insurance Cover?
Cyber crime insurance coverage will generally cover losses related to hacking, data breaches, viruses and other cybercrimes. This includes direct costs incurred by your business (these are called first party claims) and also covers claims from third parties that were harmed by the cyber attack on your business (called third party claims).
First party risk
While coverage can vary from company to company, here are typical first party and third party cyber liability areas of coverage. First party coverages include direct costs incurred by your business as a result of a cyber crime, such as:
- Investigating a cybercrime: Your insurer can pay for experts to help you find the source of the cybercrime that affected your business.
- Managing an attack: This can include hiring legal experts to advise you about regulations you need to comply with regarding a breach.
- Reputation management: Cover for costs of a public relations campaign to repair your reputation or even paying for free credit monitoring services or credit protection services for affected customers.
- Recovering lost data or software programmes: If your business losses data or software due to a breach or hack, your policy could cover the cost of hiring experts to repair and/or restore this data or software.
- Restoring computer systems: Covers hiring experts to restore computer systems damaged by a cybercrime.
- Business interruption: This covers loss of income if a cyberattack or data breach prevents you from doing business
- Cyber Extortion: Your insurance can provide expert advice and even cover the ransom if necessary in the case of hackers holding your business data or systems for ransom.
- Notification costs: Covers the cost of notifying affected third parties (e.g., your customers) of a data breach.
Third party risk
The third-party section covers losses or damage to third parties (e.g., your clients or customers) resulting from the cyber crime that affected your business, and protects your business by covering legal costs and damages or settlement payments. For example:
- Privacy protection: If a third party brings a claim against you for infringing their right to privacy or violating the consumer data protection law (GDPR), cyber insurance should cover legal defence costs, forensic costs and settlements.
- Media liability: Covers the cost of investigation, defence costs and damages arising from defamation, breach of privacy or negligence in electronic or print publications.
Cyber Liability Insurance Examples
First party cyber liability insurance example: An employee at your company is tricked into opening a file that appears to be from a coworker. The file is actually malware that allows hackers to gain access to your company files and data and locks down your network. Your company loses access to valuable data and your employees are unable to work until it is dealt with. Your insurance company could pay for experts to deal with the situation, including paying a ransom if necessary, and even reimburse you for lost income.
Third party cyber liability insurance example: You run an online travel company. You store customer data in a database system that is hacked. Hackers gain access to the data and steal private medical, identification and financial information. Your insurer might pay for investigating the hack, any legal fees, notifying customers, providing credit score monitoring for affected customers and any settlements or judgments in the case.
How does cyber insurance work?
If you are the victim of a cyber crime, contact your cyber insurance providing immediately. For starters, they may be able to assist with preventing the situation from deteriorating further or restoring your data and systems. Beyond that, their professionals can help with reputation management, notifying your customers, ensuring you comply with regulations, support you through extortion, etc.
What is not covered by cyber insurance?
Cyber Liability Insurance exclusions will vary from company to company, but policies typically don't include situations such as:
- Failure by your service providers such as interruption of service by your internet service provider, telecommunications provider or cloud provider will not be covered.
- Hacks by directors or partners would not be covered.
- Intellectual Property losses are generally not covered.
- Bodily injury would not be covered (this is where public liability, employers' liability or personal accident insurance come in).
- Compliance reviews, upgrades to your company’s security systems, internal investigations and routine regulatory supervision are not covered by cyber insurance.
- Defamatory statements that you knew (or should have known) were defamatory at the time of publication are not covered.
Do I Need Cyber Insurance?
In short, cyber liability insurance can protect against a type of risk that other types of business insurance won't cover. If your company processes payment card information or stores sensitive customer information such as names, addresses, banking information or other personal data then cyber insurance can offer financial protection and professional advice to help with a covered event. Even companies that don't hold this type of data might want a policy, to protect financially against events such as getting a computer virus or a hacker locking you out of your computer or even locking down your entire company network.
This is particularly true of companies that employ networked environments (that is, they have a large number of computers and devices linked together on an internal, private network), although even a self-employed sole trader with a single laptop can suffer from cyber crime.
Any business can need cyber insurance, from a self-employed person to a limited company.
What to Look for in Cyber Insurance Coverage
While cyber insurance cover needs can vary from one business to another, there are at least 10 features to look for in a good policy:
- Legal advice
- Forensic investigations
- GDPR non-compliance claims
- Lost income due to data breach
- Customer notification
- Regulator notification
- Cost of equipment repair or replacement related to cyber attack damage
- Recovering lost data or programmes
- Reputation management
- Cyber extortion
How Much Does Cyber Insurance Cost?
The cost of a cyber insurance policy will depend on factors like the size of your business and your line of work. The cheapest cyber insurance costs from around £132 a year (£11 a month) but many small businesses will pay close to £240 a year for a good cyber insurance policy. And larger companies will pay multiples of this. The best way to find out what you'll need to pay is by getting some quotes online or from your existing business insurance provider.
Cybersecurity Insurance Providers UK
There are a number of cyber insurance providers in the UK from whom you can buy direct, including Hiscox and Direct Line. Additionally, business brokers such as Towergate and PolicyBee may be able to source cyber security quotes for their clients from companies like AIG, Chubb, Beazley, Aviva, Allianz and more. Unfortunately, cyber insurance comparison is not readily available online in the UK yet. And many household-name small business insurers do not offer cyber liability insurance (e.g., LV=).
A good cyber insurance policy should cover ransomware. Specifically, this means covering cyber extortion costs related to hiring a negotiating consultant, the cost of a ransom paid under duress and even a stolen ransom (e.g., if the ransom is stolen on the way to the agreed location to pay the ransom).
The amount of cyber insurance you need will depend on factors such as your annual turnover and business-specific risks such as the amount and type of data you hold, your company's reliance on networked systems, etc.
The jury is still out on this. According to research published at Lexology, there is still a great deal of uncertainty regarding whether or not GDPR fines are insurable in the UK. In fact, in the face of this uncertainty the Global Federation of Insurance Associations has asked for guidance from the Organisation for Economic Cooperation and Development (OECD) on the matter.
Cyber insurance might be included in your commercial property, business interruption or professional indemnity insurance, if you have these, but may be missing some elements of cover. As a result, more and more businesses are buying specialised cyber insurance policies as part of their overall business insurance coverage. You can find specialised cover from many business insurance companies as well as from some comparison sites.
Cyber risk liability insurance covers losses related to hacking, data breaches, viruses and other cybercrimes—both first party costs incurred by your business and third party claims if another party was harmed by the cyber attack on your business.
Cyber Crime Statistics
According to the latest Cyber Security Breaches Survey, 46% of businesses suffered some form of cyber cyber security breach or attack within the last year. What are the most common cyber crimes, and how does insurance help? Let's take a look at the statistics.
Most Common Cyber Crimes on Businesses
By far, the most common cybercrimes against businesses in the UK are phishing attacks—that is, staff receiving fraudulent emails or being directed to click on fraudulent websites. These often include malicious code such as viruses or ransomware that are included in attachments or initiated when a link is clicked to a malicious web page.
You'll notice that the figures below add up to more than 100%—this is because many cyber crimes include more than one element. For example, an employee accidentally triggering ransomware when they click on an email attachment would count in both the fraudulent email and malware categories. This is why data breach insurance is so important.
|Most Common Cyber Crimes||Businesses||Charities|
|Fraudulent emails or being directed to fraudulent websites||86%||85%|
|Others impersonating organisation in emails or online||26%||39%|
|Viruses, spyware or malware||16%||22%|
|Hacking or attempted hacking of online bank accounts||9%||10%|
|Unauthorised use of computers, networks or servers by outsiders||6%||8%|
|Unauthorised use of computers, networks or servers by staff||3%||6%|
|Other cyber breaches or attacks||5%||6%|
Most Common Cyber Insurance Claims
In addition to providing financial support to offset costs of a cybercrime, cyber insurance also helps with reputation management and providing expertise help to deal with the incident. In fact, in many cases a business gets multiple benefits from their cyber insurance if they are attacked.
The most common cyber insurance claim is for legal support following a breach—in 73% of cyber claims legal support was utilised. Business interruption coverage was also commonly used, and claimed by 68% of businesses that made a cyber insurance claim last year. And 67% of businesses claimed for loss of data due to cybercrime.
The wider range of expert coverages is heavily utilised as well, with more than half of claims involving help with incident response, forensic analysis and reputation management.
|Most Common Cyber Insurance Claims||Businesses||Charities|
|Legal support following a breach||73%||71%|
|Insurance against lost earnings or profits||68%||47%|
|Insurance against loss of data||67%||60%|
|Help with incident response following a breach||46%||51%|
|Help with forensic analysis of a breach||28%||27%|
|Help with reputation management following a breach||27%||37%|
We spoke with Dr Kris Stoddart, an Associate Professor in Cyber Threats, Criminology, Sociology and Social Policy at Swansea University, to provide critical insight on cyber insurance for business owners. Here's what he had to say:
This could close the business down depending on the business or type of attack in a worst case scenario. It could be ransomware, a man-in-the-middle attack (involving someone they believe a trusted party), or cause such reputational damage they cannot recover. It could also be/lead to a data breach (this could be fined under GDPR), and/or be personally embarrassing. There is quite a wide spectrum from worse case to best.
From what I gathered a few years ago, in essence (cyber) insurance could be invalidated by poor cyber hygiene. This ranges from a complete lack of anti-virus protection to insecure or guessable passwords through to losing USB sticks and deficient physical security and much else besides.
Awareness—including/especially of social engineered spear phishing. Getting the right solutions/products for the business/business needs. Notifying authorities (local police, ROCU, or NCA, or even the NCSC) in the event of an incident or breach (other than poorly crafted phishing e-mails which are easy to spot). Non-reporting of incidents and breaches is a problem (mainly for fear of reputational damage). Depending on the size (and sector) of the SMB, budget for ICT security and ask for help and advice.