With a 3 in 5 chance of a small business failing within six months of a cyber-attack, being aware of the different ways to layer up protection against such threats is a must.
When we buy a car, house, pet and even a phone, purchasing insurance is something we don’t think twice about and we hope that because you’re reading this that you’d count business insurance in that list, too!
However, when it comes to an additional policy covering cyber, there’s more work to be done to raise awareness of its benefits. The UK Cyber Security Breaches Survey 2022 reports that over four in ten businesses (43%) and almost three in ten charities (27%) say they are insured against cyber security risks in some way.
Paul Peters, the director of the Cyber Resilience Centre for Wales (WCRC) met with Jonathan Purvis, policy advisor with the Association of British Insurers to learn more about cyber insurance, its importance and what to look out for when selecting a policy.
PP: What is the ABI?
JP: The Association of British Insurers (ABI) is the voice of the UK’s world-leading insurance and long-term savings industry. A productive and inclusive sector, our industry supports towns and cities across Britain in building back a balanced and innovative economy, employing over 357,000 individuals in high-skilled, lifelong careers, two-thirds of which are outside of London.
Our members manage investments of £1.6 trillion, pay over £17.2 billion in taxes to the government and support communities across the UK by enabling trade, risk-taking, investment and innovation. We are also a global success story, the largest in Europe and the fourth largest in the world. The ABI represents over 200 member companies, including most household names and specialist providers, giving peace of mind to customers across the UK.
PP: Why is cyber insurance important?
JP: We live in a rapidly changing society in which the way we work and carry out our lives is becoming ever more dependent on digital infrastructure. With increasing reliance on digital infrastructure comes increased risk. Our society, economy and lives have never been more reliant on the security and resilience of the computer systems on which our world now depends.
Over the coming years, cyber threats will continue to plague businesses of all sizes and new threats will emerge, with the risk of a data breach or ransomware attack increasing and the impact of new attacks becoming ever more devastating.
It is in this context that the role of cyber insurance can be seen more clearly as a key facilitator in the promotion of the increased cyber resilience of businesses and individuals, and in providing the financial support needed to get affected businesses back on their feet.
PP: What does it cover?
JP: Cyber insurance covers losses relating to damage to or loss of information from IT systems. It covers the financial losses to your business arising from a cyber-attack or incident, such as theft of funds and cost of repairing damage to IT systems, as well as any liability actions that might be brought against you, such as investigation and defence costs, civil damages, compensation payments to affected parties.
In the event of an IT failure or cyber-attack, cyber insurance will provide businesses rapid 24/7 support from cyber specialists who are able to assess a company’s systems, identifying the source of any breach and suggesting preventative measures for the future. This support can often include advice on legal and regulatory requirements, public relations as well as what steps to take to notify customers of an incident.
Cyber insurance also provides preventative support with improving the cyber resilience of businesses. Insurers will help with identifying, managing and mitigating cyber risks by helping to apply better risk mitigation techniques to minimise exposure and damage, providing staff training, password management, access to threat intelligence, conducting vulnerability scanning/assessments and access to cyber security expertise.
The following example demonstrates the value cyber insurance can bring not just when a cyber-attack occurs, but in helping improve business cyber resilience:
A PR company noticed a problem with its emails. Its regular IT contractor investigated and concluded that the most likely cause was malicious activity. The business contacted its insurer, which then deployed an IT forensics team on-site to investigate and confirmed the company had indeed been the victim of a malware attack.
It also confirmed that the hackers who deployed the malware had accessed systems and that personal data was potentially compromised. After investigating the extent of the breach, the IT team removed the malware and plugged the gap in the PR company’s security that had allowed the breach. The insurer then engaged legal counsel to advise the company on its notification obligations, and then arranged the notification of the regulator and relevant data subjects.
PP: Do you need to get cyber insurance as a standalone policy or is it covered by a general business insurance policy?
JP: A standalone cyber insurance policy is better as it provides broader level of cover for businesses.
PP: What are the common pitfalls to look out for when buying cyber insurance?
JP: As with any insurance policy, it is important to check what is not covered. Some key exclusions in most cyber insurance policies are:
PP: What amount of cover is needed?
JP: You should also check any limits of cover. Policies are generally available for SMEs with cover limits between £100k and £5 million, although significantly higher amounts of cover are available for firms facing more complex cyber risks. It is important to make sure the cover limits in your policy are appropriate for your business and the risks you face.
PP: What should people prepare when looking for insurance?
JP: Be prepared to discuss and share details of your cyber security practices with the insurer. During the application process, you will be asked a variety of questions about your business and cyber security practices. These include questions that are common to all types of insurance, such as information about your business, turnover, customers, insurance claims history, etc. Insurers will also ask specific questions on cyber security procedures and responsibilities, anti-virus software, data usage and storage, back-ups, business continuity plans and any cyber security certifications your business holds.
PP: What steps do insurers want businesses to take?
JP: Insurance can only ever be one part of the toolkit of preventative measures, and as cyber threats continue to develop it is crucial that businesses also take steps to put in place strong cyber security. There are a variety of steps businesses can take to improve their cyber resilience and make accessing cyber insurance smoother:
For more information, the ABI has produced guidance on cyber insurance.
If you would like to speak to us about insurance or anything related to securing your business from online crime, please contact us to arrange a chat.
Haven’t already signed up for membership? We offer a free package where you will have access to national guidance, resources, practical toolkits, along with regular cyber updates and member-only content. It takes just a moment to become part of the WCRC membership community.
Click to Open Code Editor