Cyber security insurance, or liability insurance as it’s sometimes called, can be hard to crack. Threats are multi-facilitated and hard to summarise, and in general, we don’t like to think about the worst-case scenarios in which we’d need insurance.
As a result, many organisations either don’t have cyber security insurance or know they have some cover but aren’t sure what it encompasses.
So, should you spend precious time and energy looking into cyber insurance?
Unfortunately, even with advanced security procedures in the least at-risk sectors, you’re still vulnerable to accidental slips-ups and malicious attacks. You also can’t control the actions of third-party suppliers; unfortunately, if a hacker gets into a third party, they may be heading straight to your data.
Do you meet the ‘we need cyber insurance’ criteria?
If you agree with even one of the following statements, you need some level of cyber insurance:
- My organisation collects, processes, or stores personally identifiable data.
- My organisation collects, processes, or stores payment data.
- My organisation collects, processes, or stores business-critical data on digital devices.
- My organisation relies on technology for everyday operations and promotion.
- My organisation uses third-party software or banking.
So, you’re with the majority of businesses that will say yes to at least one of these statements.
Read on to learn everything you need about cyber security insurance.
What does cyber security insurance cover?
Cyber security insurance can cover anything and everything found in digital. Insurance can reimburse you for lost revenue, fund the investigation to stop further damage, and insurers often offer guidance to reinforce your existing defences.
You can think of cyber security insurance as house and contents insurance. The insurer will pay for your home’s damages and for you to live somewhere while they fix the damage. They’ll also track threats such as floods and warn you before they happen.
Unlike home insurance, with cyber you’re at risk in multiple locations as a hacker can take down a global estate from one virtual hideout.
Insurance will not stop a breach. It only minimises the damage the breach can cause
Here are a few real-world examples of what cyber insurance might cover:
- Third-party liabilities: Insurance will reimburse your damages if your breach impacts third parties or vice versa.
- Direct financial loss: Insurance will cover some of your lost income if you cannot deliver services because of malware or ransomware threats.
- Business as usual interruption: If ransomware or other malware stops you from carrying out every day operations such as emails, accessing data, or making payments.
- Reputation damage: If you expose identifiable data, it can be a PR nightmare. Insurance will give you PR support to stop the total scope of the damage.
- Intellectual property: If the hacker steals assets, your insurer will help you recover and protect your intellectual property.
The 5 areas of cyber insurance
All cyber security insurance policies are different. At their core, they in some shape or form cover any loss caused to your business as a result of a digital disaster.
We’ve broken insurance into 5 areas of cover:
1. Investigation and recovery from cyber attacks
The biggest part of insurance cover is the services to help you investigate, stop, and recover from an attack or breach.
When you have a breach, your insurance might put you in touch with IT forensics experts or a Cyber Incident Response (CIR) organisation to investigate and stop the breach. Their job is to minimise the effects of the violation by restoring the equilibrium of your networks and systems.
The types of attacks they are likely to help you investigate and recover from include:
- Data breaches
- Cyber extortion
- System damage
- Financial crime
- Social engineering
2. Reimbursement from cyber security breach fines and revenue loss
After a breach, you’re likely to have lost income and be facing a barrage of fines and compensation claims. The insurer will pay up to certain values agreed in your contract for loss of income or assets.
They may also compensate customers who the breach denied access to a service or system they rely on.
3. Training & support for cyber security
It’s in the insurance provider’s interest for you to not call on them, so they often offer training and support services.
Training services might include digital hygiene and basic risk training. Or be specialised in specific regulations such as UK or EU GDPR.
Insurers might also send someone to create resiliency plans with your team and a robust incident management process. They might also recommend defensive measures such as anti-malware software and two-factor authentication.
Like most things in life, hacks also come in and out of fashion. So insurers may also offer a scanning and alert service to monitor your businesses and industry threat level.
4. Legal representation for cyber security breaches
After a breach, you’ll face legal action from customers or third parties. Your insurance can cover the defence and settlement fees should you be in court.
The same goes for government investigations where an organisation like the Information Commissioner’s Office may fine you for a GDPR breach.
Legal support will be invaluable to negotiating with the attacker if you face a cyber extortion threat.
You may also have a legal requirement to notify people about the breach. Legal representatives can advise who you need to contact and what level of details you should share.
- PR and reputation management in the case of a security breach
Finally, the most often overlooked aspect of any cyber security incident plan is your response to defamation and reputation damage.
A good insurance package will come with a press-trained crisis management team. The PR team will take control of the narrative and stop it from further damaging your company name.
What to do before you get cyber security insurance
Like all insurance, the more likely you are to need it, the more expensive it will be. You can mitigate your level of risk by gaining cyber essentials accreditations and creating a reliable and robust cyber security protocol.
You’ll also need to understand your requirements in detail. Including the full-scale implications of a breach. What are the known vulnerabilities? How far could unknown consequences go?
To define these requirements, you’ll need a few experts on your side:
- Someone who understands your legal obligations and legal documentation
- Someone who understands your commercial requirements
- Someone who understands your technology ecosystem and security systems
- Someone who understands your human and operational processes
Recommended insurance companies and 3 questions to ask.
When looking for an insurer, price should be your last deciding factor. Before you talk financials, you should filter for the insurers who can meet your needs in the following ways:
1. Does insurance cover the most common cyber threats to your business?
For some organisations, individual data leaks will be most pressing. For others, ransomware attacks are common.
2. Does insurance cover unknown or emerging cyber threats?
The devil works hard, but hackers work harder. New threats and viruses are emerging all of the time. Ask your insurer about the nature of attacks they will cover you for, regardless of if the attack is currently known to them.
3. Will insurance support your recovery process, not just pay for it?
Compensation and monetary payouts are critical to the survival of your business after an attack. But stopping the attack, recovering lost assets, and carrying out further due diligence all require expertise and physical capacity.
A few policy providers we recommend for cyber security insurance include:
CFC Underwriting – Great all-rounder for businesses of any size
Hiscox – Great for small business cover that still comes with training and support
Travellers Insurance – Great for bespoke risk management services and reacting to new types of attacks
Need help managing your cyber security? Over 100 organisations have chosen us to build a tech stack that grows, not limits, their business since 2016. We’re fully accredited technology and security experts. Contact us today.