What is cyber insurance and do you really need it?

Posted on February 1, 2023 by Louise Howland
A cyberattack on a company’s computer network and system could cause widespread disruption, operational downtime, financial loss, legal action and reputational damage. Cyber insurance, or cyber risk liability insurance, will offset costs and damages that can be incurred following a cyberattack.
There are a number of steps you can take to limit the risk of a cyberattack and safeguard your business. However, cyber insurance provides an extra layer of protection for your organisation in a worst-case scenario.
Explore what cyber insurance is and what a policy would cover below.
What is cyber insurance?
Cyber insurance is a specialist insurance cover designed to protect and mitigate a business in the event of a malicious cyberattack or serious data breach.
Cyber insurance is one of the fastest-growing areas of insurance cover due to both greater reliance on technology and increasing levels of cybercrime. With cybercriminals constantly devising new ways of breaching cyber defences, cybersecurity needs to continually develop in response to this.
The latest report published by the UK’s National Cyber Security Centre shows it recorded hundreds of cyber incidents in the year up to August 2022 involving businesses and organisations, including 63% serious cases that required a national-level response.
Over the same period, the NCSC also removed a staggering 2.1 million commodity attacks which are high-volume, low-sophistication attacks usually involving phishing and other scams targeting citizens and small businesses.
What exactly does a cyber insurance policy cover?
The loss of data or funds through malicious or accidental means, along with the grim prospect of technology or system failure, can be catastrophic and expensive for any organisation.
In the event of a cyberattack, cyber insurance provides a business with cover from the financial losses sustained by a cyber breach in addition to liability for any damages a third-party may also attempt to claim. There is a diverse range of cyber insurance products and not all policies are the same. However, the majority of policies generally cover:
- Business disruption: Lost revenue due to systems or networks being down or encrypted following a cyberattack.
- Inadvertent business interruption: Lost revenue due to systems or networks being down because of third-party failure from an IT provider, for example.
- Data retrieval costs: The cost of retrieving and restoring data and information following a cyberattack, accident or natural disaster such as fire or flood.
- Digital and data asset destruction: The loss of data stored on tapes, hard disks, and other electronic media.
- Social engineering: Costs incurred when employees are deceived into divulging information leading to criminal activity.
- Response and remediation: The cost of resolving and remedying a cyberattack including credit monitoring and public relations support to rebuild the brand reputation of those affected.
- Notification costs: The cost of identifying and notifying victims about a data breach.
- Forensics: The cost of hiring forensic cyber experts to analyse the cause of a breach and the damage caused.
What does cyber insurance not cover?
There are certain situations where cyber insurance does not provide cover. These include any projected future revenue loss, the financial damage caused in the unlikely event of war or terrorism or instances where a virus that wasn’t designed to target an affected business causes organisational damage.
Cyber insurance has, in the past, also included the cost of ransomware payments to recover data from cybercriminals. However, these have become rare as most cybersecurity experts recommend businesses avoid negotiating with attackers as there is no guarantee they will keep their word and return stolen data.
What does first-party and third-party cyber insurance mean?
Cyber Insurance is similar to most types of insurance in that there is a difference between first-party and third-party coverage relating to what a business is trying to protect.
- First-party cyber insurance covers a business from damages when its own network and systems have suffered a cyberattack or data breach. This is likely to include the cost of notifying customers of a data breach, investigating the source of a data breach and restoring a company’s reputation.
- Third-party cyber insurance covers damage caused by a cyberattack or data breach to other businesses and organisations including legal fees in the case a client should decide to sue.
Most insurance providers include both first-party and third-party cyber insurance cover. They are an increasing necessity for organisations in all industries and particularly the IT sector where large amounts of data and sensitive information are handled.
Who needs cyber insurance?
Any business which stores, uses or sends data via digital channels will benefit from cyber insurance. This sensitive data could belong to a business or customer. In summary, cyber insurance cover should be taken out by any organisation that:
- Store, use or send business-critical information and personal data such as names, addresses, banking details and passport numbers
- Has its own online bank account
- Has its own website
- Is reliant on digital technology to conduct everyday business activities
- Adheres to Payment Card Industry (PCI) standards
The importance of cyber insurance for businesses was highlighted in an IBM report which revealed the average data breach cost increased 2.6% to USD 4.35 million in 2022. As a result, effective risk management is a growing priority and cyber insurance remains one of the most effective ways to manage damages.
Despite the clear benefits of cyber insurance, only 43% of UK businesses were protected by a cyber insurance policy according to the government’s Cyber Security Breaches Survey 2022, leaving themselves exposed to costly cyberattacks and data breaches.
In addition to cyber insurance, UK businesses also have a legal responsibility to protect data and sensitive information belonging to customers and individuals under the General Data Protection Regulation. Businesses found in breach of GDPR will be subject to a two-tier financial penalty of up to 4% of turnover.
Find the right cyber insurance for your business
There is a wide range of cyber insurance policies available depending on the level of protection a business requires. Businesses should weigh up a number of factors before deciding which policy is right for them, including their risk profile and the damage a data breach would cause them and their stakeholders.
The sensitivity of data held by a business should also be taken into account. For example, damage caused by a data breach is likely to be worse if it involves the theft of sensitive personal information and financial details.
Many cyber insurance brokers will charge lower policy premiums for businesses and organisations that take vital steps to mitigate the risk of a cyberattack or data breach by enhancing their human firewall or investing in cyber awareness training for their employees.
Strengthen your cybersecurity defences with ramsac
Cybersecurity breaches are one of the main threats in today’s business landscape. Protect your organisation from cyber threats by contacting us today.