Cyber-Liability

Companies store lots of sensitive customer data. A cyber-attack and a data breach could cost thousands of pounds in fines and damage the company’s reputation.

You may need Cyber-Liability Insurance if you:

• hold customer data, including names, addresses or banking information
• are reliant on computer systems to conduct your business
• have a website
• are subject to a payment card industry (PCI) merchant services agreement.

Computer hacking is on the rise, according to the UK’s National Crime Agency, affecting essential services, businesses and private individuals alike. So, no business is immune.

Hackers are constantly changing their tactics. High profile breaches at large enterprises such as the BBC, British Airways and Boots show that software breaches can happen even when cyber security is apparently robust.

The Cloud is just another platform for hackers to breach. The sheer volume of data and number of users means that the Cloud is an attractive target for hackers.

You may have some recourse in this situation. However, this would be time-consuming, potentially costly, and wouldn't provide the immediate management you’ll need.

Most standard insurance policies do not cover cyber losses. They are typically intended to cover physical losses caused by events like storms, fire, floods, or theft. While some policies may offer limited coverage for certain aspects of cyber incidents, such as legal defence for a data breach, this coverage is usually minimal. It's generally better to have a specific cyber insurance policy to ensure comprehensive coverage for cyber losses.

Most industries now rely on technology for smooth and efficient business operations. Any cyber incident could potentially cripple a business, leading to financial losses from liability claims, repair costs, recovery of systems, lost income, extortion expenses, and more. Cyber policies provide the necessary support for businesses to recover from incidents, including legal, public relations, and loss of income.

First-party cover in your cyber insurance policy covers the costs your business incurs as a result of a cyber-attack. Third-party cover provides defence costs and settlement costs for claims made against your business, such as allegations of failing to keep your customers' data secure.

Yes, it's your organisation's responsibility to protect your customer information. You are liable for any losses and will have to pay any fines or fees resulting from legal actions. Unfortunately, even if you outsource services to other companies, your customers' data is still your responsibility.

Please remember that the process for making a claim can vary between insurers. Typically, you would need to call your insurer's 24/7 claims line to report the claim. After that, your insurer will gather some basic details to assess the situation. They should then call you back promptly to discuss an action plan that outlines the necessary services for your claim, which may include:

• Forensics to assess how the attack occurred and actions needed to prevent a repeat attack (including dark web monitoring to check for compromised data)
• Assistance with Information Commissioner's Office (ICO) notification, if necessary
• Credit monitoring
• Legal services/advice
• Public relations assistance
• Coordination with your IT provider to get you back up and running if needed.

The action plan will then be implemented, and normally, your insurer will arrange regular catch-up calls to ensure everything is proceeding as expected. Once everything is up and running, your insurer will work to reach a final settlement of the claim.

If you have experienced any loss of revenue, your insurer will need to see evidence of this. For example, a lost contract or a comparison between last year's and this year's accounts (it may take time to see losses, so this element may not be settled right away).

Unfortunately, with so many cyber claim scenarios, we can't explain how each one would work in practice. However, it's usually a condition of your policy that the first step in a cyber claim is to call and notify your insurer.

1. 24/7 claims line: it's always a good idea to ensure your insurers offer a 24/7 claims line, as a cyber attack typically happens outside regular business hours, and not all Insurers offer this service.
2. Outsourced service providers: not all insurance policies cover loss of income or additional costs incurred if a hacker targets your technology systems or outsourced service providers, such as a cloud provider or outsourced payroll company. If you're arranging cover, be sure to confirm that this protection is included.

Cyber insurance does not eliminate the need for good security practices. Consider this simple thought experiment: would you leave your doors and windows unlocked and open in your house simply because you have home insurance? Well, the same principle applies to your business. It's crucial to safeguard your digital assets. In the event that attackers breach your security measures, cyber insurance can provide a backup to help mitigate the impact.