The term “cyber risk” covers any risk connected with the use of technology and data. And the cyber risk to UK business grows every day, threatening to bring companies to their financial knees. It encompasses malicious attacks by outsiders through denial of services attacks, data theft and cyber extortion (through ransomware), insider attacks by disgruntled employees and accidental losses such as an employee losing a laptop or a data stick.
These risks all expose business to the prospect of serious financial losses caused through business interruption, loss of income, repairing damaged IT, claims by customers and third parties, regulatory fines. There is then the unquantifiable long-term blow that can be dealt to a company’s reputation and goodwill by a cyber-attack.
The scale of cyber-attacks continues to grow. Cyber risk is more prevalent than ever before as almost all organisations across all sectors are now reliant to a greater or lesser extent on tech and data to carry out business.
A recent UK government survey suggested that over 60% of large companies and over 30% of small businesses have now suffered a cyber-attack or data breach. The average cost of a breach is now nearly £23,000 for large businesses and almost £4,000 for smaller ones. These costs directly impact the company’s bottom line.
As the use of tech and data has increased, so has regulation such as the General Data Protection Regulation (GDPR). This ups the risk ante for business who are now exposed to the potential of large regulatory fines if they suffer a data breach.
And the cyber risk may have increased more recently with Covid-19 leading to the shift to homeworking by employees. This has meant an unprecedented expansion of a business’ security perimeter, arguably leaving them more exposed to malicious cyber threats (such as phishing emails) than ever before, with employees’ home devices becoming points of cyber vulnerability.
Insurance solutions are, however, available to provide financial risk transfer from business to insurers in respect of cyber risk and, with that, to relieve some of the burden on business.
Traditional insurance policies such as commercial property, business interruption or professional indemnity insurance, generally only provide limited (if any) cover against cyber risks. So, companies may need to look to specialised cyber insurance policies to supplement their existing commercial insurance programme and to protect their business and assets.
Cyber insurance has become increasingly popular as the global cyber threat has grown in recent years. Indeed, it is estimated that global cyber premiums paid to insurers will reach $25bn by 2025. Cyber was an insurance product originally purchased almost exclusively by US policyholders. But in recent years the cyber insurance market in the UK has matured, with an increasing number of insurers entering the market with sophisticated policy products to respond to ever more complex claims scenarios.
Cyber insurance covers the losses relating to damage to, or loss of information from, IT systems and networks. Losses are typically categorised as ‘third party’ (where loss is suffered by third parties – such as customers)) and ‘first party’ (damage to the insured’s own assets). Insurance can cover these types of risk.
First-party insurance covers:
- Loss or damage to digital assets
- Business interruption from network downtime
- Cyber exhortation where hackers threaten to damage data if a ransom is not paid
- Notification expenses when there is a legal or regulatory requirement to notify customers of a security or privacy breach
- Reputational damage arising from a data breach that results in loss of intellectual property or customers
- Electronic theft of money or digital assets
- The costs of professional assistance (IT, forensic, PR etc) with the management of, and policyholder’s response to, the cyber incident.
Third-party insurance covers:
- Security and privacy breaches, and the investigation, defence costs and any associated civil damages award
- Multi-media liability, to cover investigation, defence costs and civil damages arising from defamation, breach of privacy or negligence
- Loss of third-party data, including payment of compensation to customers for denial of access, and failure of software or systems.
Like all commercial insurances, cyber policies will contain conditions of cover (such as claims notification and an obligation to co-operate insurers), exclusions (what is not covered by the insurance), the limit of indemnity (the amount of the insurance for the duration of the policy), the period of the insurance and the self- insured retention to be borne by the insured.
It is also likely that cyber insurers will prescribe the minimum cyber security arrangements that it expects the insured to put in place to mitigate the cyber risk as a condition of coverage so as to reduce claims under the policy.
This is just an overview of cyber insurance. So please join us at our Cyber Conference on 21 September 2021 when I will be chairing a detailed discussion about risk management and current issues in the cyber insurance market with leading figures from the insurers CFC, Canopius, Axis and Lime Street Brokers. All your questions about cyber insurance will be answered!