With the Association of British Insurers (ABI) reporting that the average cost of a cyber security breach is £600,000 to £1,150,000 for large businesses and £65,000 to £115,000 for SMEs, the cost of a cyber crime can be debilitating for companies both large and small. As a result, many companies include a cyber insurance policy as part of their overall business insurance coverage.
Cyber insurance can provide financial protection against cyber crimes and data breaches, and offer expert assistance with managing an incident. Here's what you need to know about cyber insurance to help you decide if it's a coverage you need for your business.
What Does Cyber Insurance Cover?
A good cyber and data insurance policy will generally cover losses related to hacking, data breaches, viruses and other cyber crimes. This includes direct costs incurred by your business (these are called first party claims) and also covers claims from third parties that were harmed by the cyber attack on your business (called third party claims).
While coverage can vary from company to company, here are typical first party and third party cyber liability areas of coverage. First party coverages include direct costs incurred by your business as a result of a cyber crime, such as:
- Investigating a cyber crime: Your insurer can pay for experts to help you find the source of the cyber crime that affected your business.
- Managing an attack: This can include hiring legal experts to advise you about regulations you need to comply with regarding a breach.
- Reputation management: Cover for costs of a public relations campaign to repair your reputation or even paying for free credit monitoring services or credit protection services for affected customers.
- Recovering lost data or software programmes: If your business losses data or software due to a breach or hack, your policy could cover the cost of hiring experts to repair and/or restore this data or software.
- Restoring computer systems: Covers hiring experts to restore computer systems damaged by a cyber crime.
- Business interruption: This covers loss of income if a cyber attack or data breach prevents you from doing business
- Cyber Extortion: Your insurance can provide expert advice and even cover the ransom if necessary in the case of hackers holding your business data or systems for ransom.
- Notification costs: Covers the cost of notifying affected third parties (e.g., your customers) of a data breach.
The third-party section covers losses or damage to third parties (e.g., your clients or customers) resulting from the cyber crime that affected your business, and protects your business by covering legal costs and damages or settlement payments. For example:
- Privacy protection: If a third party brings a claim against you for infringing their right to privacy or violating the consumer data protection law (GDPR), cyber insurance should cover legal defence costs, forensic costs and settlements.
- Media liability: Covers the cost of investigation, defence costs and damages arising from defamation, breach of privacy or negligence in electronic or print publications.
Examples of Cyber Crime Insurance
Example 1 (First party): An employee at your company is tricked into opening a file that appears to be from a coworker. The file is actually malware that allows hackers to gain access to your company files and data and locks down your network. Your company loses access to valuable data and your employees are unable to work until it is dealt with. Your insurance company could pay for experts to deal with the situation, including paying a ransom if necessary, and even reimburse you for lost income.
Example 2 (Third party): You run an online travel company. You store customer data in a database system that is hacked. Hackers gain access to the data and steal private medical, identification and financial information. Your insurer might pay for investigating the hack, any legal fees, notifying customers, providing credit score monitoring for affected customers and any settlements or judgments in the case.
What does cyber insurance NOT cover?
Cyber Liability Insurance exclusions will vary from company to company, but policies typically don't include situations such as:
- Failure by your service providers such as interruption of service by your internet service provider, telecommunications provider or cloud provider will not be covered.
- Hacks by directors or partners would not be covered.
- Intellectual Property losses are generally not covered.
- Bodily injury would not be covered (this is where public liability, employers' liability or personal accident insurance come in).
- Compliance reviews, upgrades to your company’s security systems,internal investigations and routine regulatory supervision are not covered by cyber insurance.
- Defamatory statements that you knew (or should have known) were defamatory at the time of publication are not covered.
Do I Need Cyber Insurance?
If your company processes payment card information or stores sensitive customer information such as names, addresses, banking information or other personal data then it's a good idea to have cyber insurance. Even companies that don't hold this type of data should consider buying a policy, as it can help protect financially against events such as a hacker locking you out of your computer or even locking down your entire company network.
This is particularly true of companies that employ networked environments (that is, they have a large number of computers and devices linked together on an internal, private network), although even a self-employed sole trader with a single laptop can suffer from cyber crime.
How much does Cyber Insurance Cost?
The cost of a cyber insurance policy will depend on factors like the size of your business and your line of work. The cheapest cyber insurance costs from around £132 a year (£11 a month) but many small businesses will pay close to £240 a year for a good cyber insurance policy. And larger companies will pay multiples of this. The best way to find out what you'll need to pay is by getting some quotes online or from your existing business insurance provider.
A good cyber insurance policy should cover ransomware. Specifically, this means covering cyber extortion costs related to hiring a negotiating consultant, the cost of a ransom paid under duress and even a stolen ransom (e.g., if the ransom is stolen on the way to the agreed location to pay the ransom).
The amount of cyber insurance you need will depend on factors such as your annual turnover and business-specific risks such as the amount and type of data you hold, your company's reliance on networked systems, etc.
The jury is still out on this. According to research published at Lexology, there is still a great deal of uncertainty regarding whether or not GDPR fines are insurable in the UK. In fact, in the face of this uncertainty the Global Federation of Insurance Associations has asked for guidance from the Organisation for Economic Cooperation and Development (OECD) on the matter.
Cyber insurance might be included in your commercial property, business interruption or professional indemnity insurance, but may be missing some elements of cover. As a result, more and more businesses are buying specialised cyber insurance policies as part of their overall business insurance coverage. You can find specialised cover from many business insurance companies as well as from some comparison sites.
Cyber Crime Statistics
According to the latest Cyber Security Breaches Survey, 46% of businesses suffered some form of cyber cyber security breach or attack within the last year. What are the most common cyber crimes, and how does insurance help? Let's take a look at the statistics.
Most Common Cyber Crimes on Businesses
By far, the most common cyber crimes against businesses in the UK are phishing attacks—that is, staff receiving fraudulent emails or being directed to click on fraudulent websites. These often include malicious code such as viruses or ransomware that are included in attachments or initiated when a link is clicked to a malicious web page.
You'll notice that the figures below add up to more than 100%—this is because many cyber crimes include more than one element. For example, an employee accidentally triggering ransomware when they click on an email attachment would count in both the fraudulent email and malware categories.
|Most Common Cyber Crimes||Businesses||Charities|
|Fraudulent emails or being directed to fraudulent websites||86%||85%|
|Others impersonating organisation in emails or online||26%||39%|
|Viruses, spyware or malware||16%||22%|
|Hacking or attempted hacking of online bank accounts||9%||10%|
|Unauthorised use of computers, networks or servers by outsiders||6%||8%|
|Unauthorised use of computers, networks or servers by staff||3%||6%|
|Other cyber breaches or attacks||5%||6%|
Most Common Cyber Insurance Claims
In addition to providing financial support to offset costs of a cyber crime, cyber insurance also helps with reputation management and providing expertise help to deal with the incident. In fact, in many cases a business gets multiple benefits from their cyber insurance if they are attacked.
The most common cyber insurance claim is for legal support following a breach—in 73% of cyber claims legal support was utilised. Business interruption coverage was also commonly used, and claimed by 68% of businesses that made a cyber insurance claim last year. And 67% of businesses claimed for loss of data due to cyber crime.
The wider range of expert coverages is heavily utilised as well, with more than half of claims involving help with incident response, forensic analysis and reputation management.
|Most Common Cyber Insurance Claims||Businesses||Charities|
|Legal support following a breach||73%||71%|
|Insurance against lost earnings or profits||68%||47%|
|Insurance against loss of data||67%||60%|
|Help with incident response following a breach||46%||51%|
|Help with forensic analysis of a breach||28%||27%|
|Help with reputation management following a breach||27%||37%|