Most industries now rely on technology for smooth and efficient business operations, and this way of working invites certain risks. Any cyber incident could potentially cripple a business, leading to financial losses from liability claims, repair costs, recovery of systems, lost income, extortion expenses, and more.
The solution? Consider insurance cover. Cyber policies provide the necessary support for businesses to recover from incidents, including legal, public relations, and loss of income. Read on for some key questions around Cyber Liability Insurance, why it’s important, and what to consider if you’re looking for cover.
Why is my business at risk?
Regardless of size and sector, no business is immune to cybercrime. Customer data is a target for cyber-attacks, and a data breach will not only cost a company in fines, but also damage its reputation and result in potential lost income.
You may need Cyber Liability Insurance if you:
• hold customer data, including names, addresses or banking information
• are reliant on computer systems to conduct your business
• have a website
• are subject to a payment card industry (PCI) merchant services agreement.
Is my organisation responsible if there is a breach of our computer system?
Yes, it's your organisation's responsibility to protect your customer information. You are liable for any losses and will have to pay any fines or fees resulting from legal actions. Unfortunately, even if you outsource services to other companies, your customers' data is still your responsibility.
We have good protective software. Why do we need cover?
Hackers are constantly changing their tactics. High profile breaches at large enterprises such as the BBC, British Airways and Boots show that software breaches can happen even when cyber security is apparently robust.
We back up to the Cloud. Why do we need cover?
The Cloud is just another platform for hackers to breach. The sheer volume of data and number of users means that the Cloud is an attractive target for hackers.
Won’t our Cloud provider pay?
You may have some recourse in this situation. However, this would be time-consuming, potentially costly, and wouldn't provide the immediate management you’ll need.
Is my current insurance policy likely to cover me for cyber losses?
Most standard insurance policies do not cover cyber losses. They are typically intended to cover physical losses caused by events like storms, fire, floods, or theft. While some policies may offer limited coverage for certain aspects of cyber incidents, such as legal defence for a data breach, this coverage is usually minimal. It's generally better to have a specific cyber insurance policy to ensure comprehensive coverage for cyber losses.
If I have cyber insurance, which security practices do I no longer need to maintain?
Cyber insurance does not eliminate the need for good security practices. Consider this simple thought experiment: would you leave your doors and windows unlocked and open in your house simply because you have home insurance? Well, the same principle applies to your business. It's crucial to safeguard your digital assets. In the event that attackers breach your security measures, cyber insurance can provide a backup to help mitigate the impact.
What is the difference between first-party and third-party cover?
First-party cover in your cyber insurance policy covers the costs your business incurs as a result of a cyber-attack. Third-party cover provides defence costs and settlement costs for claims made against your business, such as allegations of failing to keep your customers' data secure.
When selecting an insurer, what features and covers should I look for?
1. 24/7 claims line: it's always a good idea to ensure your insurers offer a 24/7 claims line, as a cyber-attack typically happens outside regular business hours, and not all Insurers offer this service.
2. Outsourced service providers: not all insurance policies cover loss of income or additional costs incurred if a hacker targets your technology systems or outsourced service providers, such as a cloud provider or outsourced payroll company. If you're arranging cover, be sure to confirm that this protection is included.
What can I expect to happen when I make a cyber insurance claim?
Please remember that the process for making a claim can vary between insurers. Typically, you would need to call your insurer's 24/7 claims line to report the claim. After that, your insurer will gather some basic details to assess the situation. They should then call you back promptly to discuss an action plan that outlines the necessary services for your claim, which may include:
• Forensics to assess how the attack occurred and actions needed to prevent a repeat attack (including dark web monitoring to check for compromised data)
• Assistance with Information Commissioner's Office (ICO) notification, if necessary
• Credit monitoring
• Legal services/advice
• Public relations assistance
• Coordination with your IT provider to get you back up and running if needed.
The action plan will then be implemented, and normally, your insurer will arrange regular catch-up calls to ensure everything is proceeding as expected. Once everything is up and running, your insurer will work to reach a final settlement of the claim.
If you have experienced any loss of revenue, your insurer will need to see evidence of this. For example, a lost contract or a comparison between last year's and this year's accounts (it may take time to see losses, so this element may not be settled right away).
Unfortunately, with so many cyber claim scenarios, we can't explain how each one would work in practice. However, it's usually a condition of your policy that the first step in a cyber claim is to call and notify your insurer.
Want to know more?
If you have any questions around Cyber Liability Insurance or would like to discuss your requirements, reach out to our team via the form on our designated Cyber Liability Insurance page.