With a 3 in 5 chance of a small business failing within six months of a cyber-attack, being aware of the different ways to layer up protection against such threats is a must.

When we buy a car, house, pet and even a phone, purchasing insurance is something we don’t think twice about and we hope that because you’re reading this that you’d count business insurance in that list, too!

However, when it comes to an additional policy covering cyber, there’s more work to be done to raise awareness of its benefits. The UK Cyber Security Breaches Survey 2022 reports that over four in ten businesses (43%) and almost three in ten charities (27%) say they are insured against cyber security risks in some way.

Paul Peters, the director of the Cyber Resilience Centre for Wales (WCRC) met with Jonathan Purvis, policy advisor with the Association of British Insurers to learn more about cyber insurance, its importance and what to look out for when selecting a policy.

PP: What is the ABI?

JP: The Association of British Insurers (ABI) is the voice of the UK’s world-leading insurance and long-term savings industry. A productive and inclusive sector, our industry supports towns and cities across Britain in building back a balanced and innovative economy, employing over 357,000 individuals in high-skilled, lifelong careers, two-thirds of which are outside of London.

Our members manage investments of £1.6 trillion, pay over £17.2 billion in taxes to the government and support communities across the UK by enabling trade, risk-taking, investment and innovation. We are also a global success story, the largest in Europe and the fourth largest in the world. The ABI represents over 200 member companies, including most household names and specialist providers, giving peace of mind to customers across the UK.

PP: Why is cyber insurance important?

JP: We live in a rapidly changing society in which the way we work and carry out our lives is becoming ever more dependent on digital infrastructure. With increasing reliance on digital infrastructure comes increased risk. Our society, economy and lives have never been more reliant on the security and resilience of the computer systems on which our world now depends.

Over the coming years, cyber threats will continue to plague businesses of all sizes and new threats will emerge, with the risk of a data breach or ransomware attack increasing and the impact of new attacks becoming ever more devastating.

It is in this context that the role of cyber insurance can be seen more clearly as a key facilitator in the promotion of the increased cyber resilience of businesses and individuals, and in providing the financial support needed to get affected businesses back on their feet.

PP: What does it cover?

JP: Cyber insurance covers losses relating to damage to or loss of information from IT systems. It covers the financial losses to your business arising from a cyber-attack or incident, such as theft of funds and cost of repairing damage to IT systems, as well as any liability actions that might be brought against you, such as investigation and defence costs, civil damages, compensation payments to affected parties.

In the event of an IT failure or cyber-attack, cyber insurance will provide businesses rapid 24/7 support from cyber specialists who are able to assess a company’s systems, identifying the source of any breach and suggesting preventative measures for the future. This support can often include advice on legal and regulatory requirements, public relations as well as what steps to take to notify customers of an incident.

Cyber insurance also provides preventative support with improving the cyber resilience of businesses. Insurers will help with identifying, managing and mitigating cyber risks by helping to apply better risk mitigation techniques to minimise exposure and damage, providing staff training, password management, access to threat intelligence, conducting vulnerability scanning/assessments and access to cyber security expertise.

The following example demonstrates the value cyber insurance can bring not just when a cyber-attack occurs, but in helping improve business cyber resilience:

A PR company noticed a problem with its emails. Its regular IT contractor investigated and concluded that the most likely cause was malicious activity. The business contacted its insurer, which then deployed an IT forensics team on-site to investigate and confirmed the company had indeed been the victim of a malware attack.

It also confirmed that the hackers who deployed the malware had accessed systems and that personal data was potentially compromised. After investigating the extent of the breach, the IT team removed the malware and plugged the gap in the PR company’s security that had allowed the breach. The insurer then engaged legal counsel to advise the company on its notification obligations, and then arranged the notification of the regulator and relevant data subjects.

PP: Do you need to get cyber insurance as a standalone policy or is it covered by a general business insurance policy?

JP: A standalone cyber insurance policy is better as it provides broader level of cover for businesses.

PP: What are the common pitfalls to look out for when buying cyber insurance?

JP: As with any insurance policy, it is important to check what is not covered. Some key exclusions in most cyber insurance policies are:

• Cyber warfare - Losses to businesses that result from cyber warfare and cyber-attacks that may be linked to the actions of a particular country or government are common exclusions due to the risks being so large and beyond the capacity of individual insurers
• Critical national infrastructure - Losses arising from failure of or outage to critical national infrastructure, such as electricity, gas, water, satellite or telecommunications, are excluded. As with war, the risk is so large and beyond the capacity of individual insurers
• Bodily injury and property damage - Cyber insurance policies will replace losses in the digital sphere but will not usually cover damage to physical property or bodily injury (death, sickness, disease or physical injury) which results from a cyber incident, as these are often covered by other insurance policies such as property or liability insurance
• Fines, penalties and sanctions - Cyber insurance will not cover criminal, civil or regulatory fines, penalties or sanctions that a business is legally obliged to pay

PP: What amount of cover is needed?

JP: You should also check any limits of cover. Policies are generally available for SMEs with cover limits between £100k and £5 million, although significantly higher amounts of cover are available for firms facing more complex cyber risks. It is important to make sure the cover limits in your policy are appropriate for your business and the risks you face.

PP: What should people prepare when looking for insurance?

JP: Be prepared to discuss and share details of your cyber security practices with the insurer. During the application process, you will be asked a variety of questions about your business and cyber security practices. These include questions that are common to all types of insurance, such as information about your business, turnover, customers, insurance claims history, etc. Insurers will also ask specific questions on cyber security procedures and responsibilities, anti-virus software, data usage and storage, back-ups, business continuity plans and any cyber security certifications your business holds.

PP: What steps do insurers want businesses to take?

JP: Insurance can only ever be one part of the toolkit of preventative measures, and as cyber threats continue to develop it is crucial that businesses also take steps to put in place strong cyber security. There are a variety of steps businesses can take to improve their cyber resilience and make accessing cyber insurance smoother:

• Install and regularly update and patch anti-virus and firewall software - You can set up regular, automatic scans. Do not rely on older, out-of-date products for the most critical applications and data access. It is important to update and patch regularly, as not doing so may also impact your cover
• Raise awareness of and educate employees about cyber security - Provide training at all levels on how to identify common threats such as malware or phishing emails, and what to do if they encounter these. Also focus on the importance of cyber security
• Have a clear password policy and make signing in more complex - Use a multi-factor or two-step, sign-in process. Set a strong password, using random words, mixed case letters, numbers and special characters, and not reusing the same password multiple times
• Regularly perform back-ups of critical systems and files - There should be a clear back-up strategy with back-ups being offline, protected and tested for restore capability
• Protect your data - Encrypt any confidential data and limit the collection of personal/financial data to only what is necessary.
• Don’t give blanket access to all users - In particular, limit “local administrative privileges” to only users who truly need it and create internal password protections, especially around the most critical information and systems
• Create and practice an incident response plan - This ensures that, in the case of an attack, you will have a timely and appropriate response. Without this, incidents can be much more severe. The response plan should be regularly tested and include how your business would respond to common cyber threats, such as ransomware

For more information, the ABI has produced guidance on cyber insurance.

If you would like to speak to us about insurance or anything related to securing your business from online crime, please contact us to arrange a chat.

Haven’t already signed up for membership? We offer a free package where you will have access to national guidance, resources, practical toolkits, along with regular cyber updates and member-only content. It takes just a moment to become part of the WCRC membership community.