By ABL Associate Director, Darren Rodgers.
Cybersecurity is no longer just the remit of large Corporate companies or IT firms. For the past twenty years, we have seen a huge shift in how business is conducted that is directly linked to technological advancements. Whether it is online document sharing, emails, e-commerce or online marketing, the rise in the use of technology has corresponded with a rise in cybercrime. A recent survey has shown that 46% of businesses have reported cyber security breaches or attacks in the last 12 months. In addition to this, according to one estimate by McAfee in 2018, the damages associated with cybercrime is now running in the billions for UK firms.
Although the cost of a breach can be extremely expensive for a company, there is more damage suffered than purely financial costs. A data breach can lead to reputational damage, with customers losing trust in a business and going elsewhere.
It has been argued that most businesses will experience some form of attack or breach at some stage. Subsequently, it is imperative that a business implements controls to detect and respond to such attacks before it results in damage and disruption.
One vital way of protecting a business is by having adequate insurance cover against cyber risks. However, it is estimated that only a small percentage of businesses are insured against cyber attacks. Standard Commercial insurance policies will not extend to cover Cyber risks and are now a common exclusion. A Cyber Insurance policy can offer a business protection against a wide range of risks.
The cover can sometimes be known as Cyber Liability, which can be misleading. This implies cover against third party legal liability claims, resulting from a breach. However, it is estimated that only a small percentage of claims arise in this area. Instead the vast majority of cyber breaches tend to cause financial loss to the insured themselves as opposed to third parties.
From a First Party viewpoint, the policy can cater for:
This is intended to cover the costs involved in responding to a cyber incident, including security and forensic specialist support, legal advice on breaches of data security, and the cost to notify individuals that have had their data stolen. One of the most important aspects is that it provides quick access to specialists. This can also include PR experts, to assist in managing the event.
This section covers costs incurred in responding to attempts to extort money by either threatening to carry out a cyberattack or by threatening to expose or destroy data after a breach. This includes Ransomware, where the data is encrypted and only made accessible by the payment of a ransom demand.
This section covers the costs for an insured’s data and applications to be repaired and restored.
This aims to cover loss of profits and increased costs of working as a result of interruption caused by a cyber event. It works in a similar way to traditional business interruption insurance except the trigger is a non-physical peril as opposed to a physical one.
If permitted to be included under a policy, this will cover the cost of certain fines and penalties that a regulatory body might enforce as a result of a data breach.
Cover to protect your own funds that have been stolen directly by someone who has hacked your account.
The Third-Party covers can include:
This covers any third party claims arising out of defamation or infringement of intellectual property rights.
This covers third party claims arising out of a cyber event, such as a transmission of harmful malware to a third party’s systems or failing to prevent an individual’s data from being breached.
The sophistication of cyber-attacks has rapidly evolved, and the insurance industry has struggled to keep up. There have been complaints from clients that the cover is not easily accessible, with large proposal forms required. However, one of the main sources of frustration is the different approaches to the covers offered. It seemed that each cover option had different views on what should be included, and it is critical to note that not all cyber insurance policies include cover for the above types of loss. For instance, Cyber Theft is not always included.
One area of frustration was the absence of cover for Social Engineering. This area of Cyber Crime has dramatically increased, to the point that nearly every business has had some form of loss or potential loss. This can involve the attackers pretending to be a third party, such as a supplier, but more commonly, they imitate some level of senior management, asking accounts for payment to be made to a new bank account.
This cover is generally not included in a Cyber policy, and it can be found in a traditional crime policy, but the cover varies widely. This can be frustrating for a client, as multiple policies are needed to cover all gaps.
ABL are delighted to offer the new Markel Cyber policy, developed in conjunction with our parent company GRP. This partnership has sought to remove these frustrations, with a new easily-accessible policy, at competitive rates. Furthermore, there are new cover enhancements, including:
1.Social Engineering- included as standard at £100,000 limit of cover or lower if reduced policy limit of indemnity selected.
2.System Failure- included up to £50,000 under the Business Interruption
This covers a business if systems are affected by an unplanned outage, meaning that the business cannot use their computer systems, resulting in loss of income.
3.Wording improvements- for instance, social engineering now includes theft of personal money of a director, member or partner employed.
Please also note the limit of indemnity has changed from being in the aggregate to now apply separately to each of the First Party & Third Party cover sections.
I would be happy to discuss your business Cyber risks, and please feel free to contact me.
Darren Rodgers FCII