Cyber & Data Insurance Guide
The vast majority of businesses currently use some sort of computer system or device linked to a network which gives creative individuals with malicious intent the opportunity to harm the business. Many firms are finding that even after adopting a best practice approach to IT policies and procedures, incidents continue to occur.
Cyber & Data Insurance policies are primarily designed to reduce the impact on a company’s balance sheet through restoration and containment services. These services include restoring the functionality of a company’s systems, mitigating reputational damage through the deployment of a public relations strategy, and covering the cost of contacting both customers and suppliers to communicate the breach (and offer credit monitoring services where applicable).
What are the risks from a Cyber attack?
What is cyber risk?
The term ‘cyber risk’ is typically used to define any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.
What are the potential risks from cyber attacks?
There are many different types of risk associated with a cyber attack. Examples include denial of service attacks which can shut down entire IT systems and websites, loss of critical data, loss of client data, loss of proprietary information, or a threat of extortion or adverse media coverage following an attack. It was reported in a survey conducted by Edelman that 71% of customers would leave an organisation after a data breach where their personal information had been stolen.
Who does a Cyber & Data Insurance policy cover?
Cyber & Data policies will typically have coverage for:
- First-party, covering direct losses to the policyholder.
- Third-party, protecting the policyholder against claims from third par ties such as customers or partners.
What can a Cyber & Data Insurance policy provide?
Most policies will provide cover for the following:
- Forensics - expert forensics can determine what and how much data has been affected and whatever actions can be done post-breach such as restoration and containment. This aspect of cover is often utilised to free up the time of the target company’s IT team so they can be deployed on essential restorative work.
- Fines and Investigations - A data breach can lead to significant costs as well as the potential for fines. A Cyber & Data Insurance policy is deigned to cover the costs and fines imposed on the company.
- Notifications - the legislation from the General Data Protection Regulation (GDPR) due to be enforced from 25th May 2018 will dictate that customers and suppliers will have to be notified in cases where their data has been affected, with credit monitoring put in place in order to mitigate any losses.
- Legal & PR - legal and PR consultants will work together to both formulate, and then action, the strategy to contain the potential reputational damage that could lead to a negative company image.
- Liabilities - defence costs and damages for:
- breach of personal or corporate data.
- contaminating a third party’s data with a virus.
- theft of system passwords.
- theft of hardware which contains data.
- a negligent act or error by an employee.
Who does a Cyber & Data Insurance policy cover?
Any business using computer systems to store data that may include financial information of clients, employee information or confidential files has a risk exposure to a cyber attack.According to the Government Security Breaches poll, nearly three quarters of small organisations reported a security breach in 2015.
What type of companies are being affected by cyber attacks?
It is no longer only larger businesses that are being attacked due to the potential financial rewards, cyber attacks are happening with a much greater frequency on smaller and medium-sized businesses, possibly due to the perception that they are easier targets.
Can cyber attacks only come from hackers?
Employees are also putting their organisations at risk due to a general lack of understanding of IT security, one example being USB security. A recent report stated that 73% of employees are using USB drives without having permission to do so, 72% have lost USB drives without notifying appropriate authority, and 55% of employees use generic or free USB drives which could contain malware or other software that could harm computer systems.
Another example would be the emergence of Bring Your Own Device (BYOD) policies, which creates yet another route for hackers to gain access to a company’s systems.
What else can I do alongside putting in place a Cyber & Data Insurance policy?
Prevention is better than cure, so the implementation of high levels of data security and stringent system controls are advisable, as well as providing your staff with the relevant training and education. It is important that organisations take responsibility for their employees and help fill any knowledge gaps specifically in relation to computer security. Any new employee should receive training in computer security and regular reminders to remain vigilant of any suspicious emails.
What other financial impacts of a breach could there be?
In addition to regulatory fines and defence costs, there could also be the compensation to third par ties to be considered which can be substantial.
What other aspects of a cyber breach are there to be considered?
If the valuation of the company is significantly impacted it can cause disputes in the Boardroom between the directors and shareholders which can prove to be extremely disruptive.
Cyber Policy Facts & Features
How much does a policy cost?
Cyber insurance policies are available from £1,000 per annum at the lower end of the scale depending on the data held and size of the company.
What are the key factors determining cost?
There are multiple factors used by underwriters, one of the key criteria is the number personal identifiable information records held by a company.
Will technology-reliant companies pay more?
Businesses that rely heavily on technology to generate revenue or process transactions are potentially at a higher risk of significant impact. Underwriters may review how quickly a company is able to resume operations following a network security failure, or outage, along with the back-up plans in place.
Are retail companies at greater risk?
The factors that can make retail companies higher risk include:
- the size and type of information held on their databases.
- the scale of the loss of revenue whilst their website and IT systems are disrupted.
- the ability of their customers to switch provider after a system breach is communicated.
How much coverage does a company need?
A good star ting point to assessing the limits required is to conduct an exposure analysis, including a review of the size and nature of data you hold. A micro company may only need a £50,000 limit depending on whether they are holding sensitive data and trading over the internet, whilst a SME company might purchase between £100,000 and £5,000,000.
Will there be an excess (or deductible) on the policy?
An excess will typically apply to monetary values and a time excess will be applied to business interruption elements of the coverage (usually 12 or 24 hours).
What are the exclusions and limitations?
There will almost always be exclusions and limitations in an insurance policy. Whilst some policies would not cover unencrypted data on portable devices, there are also those that limit or eliminate coverage for information held by a third party (such as data held in the cloud unless there is a written contract between the policyholder and the third party). Cyber and Data policies are also unlikely to cover risks that are insurable elsewhere, typically those covered under a general liability policy for example.
Do I need to use a specialist broker?
Navigating the exclusions and limitations in Cyber & Data policies can prove challenging for the inexperienced. A broker with expertise in this field will be able to advise on which products are most suited to your sector and company and help you decide on appropriate insurance limits. They should also be able to negotiate with insurers over exclusions and policy language, where required.
Is Cyber & Data Liability widely offered by insurers?
Cyber & Data Insurance first became available in the 1980s but did not flourish and remained a niche product to address unusual exposures. However, the uptake of Cyber & Data Insurance has grown rapidly over the last decade as insurers have responded to the heightened risks and increasing levels of criminal activity in this area.
Are there limitations to geographical scope of cover?
Cyber risk policies can define the geographic scope of the covered risks to certain locations, such as the UK only or ‘worldwide excluding the United States’. Companies need to review whether their coverage matches their business relationships and risks to ensure that they are purchasing effective insurance. Certain jurisdictions can attract higher premium charges.
What is the legislative landscape?
What is the GDPR?
The GDPR is the General Data Protection Regulation, an EU regulatory body set up April 2016. Their mandate is to strengthen and unify data protection for individuals within the European Union.
What new policies is the GDPR putting in place?
The biggest change is that the companies which experience a breach will have to notify all of its clients and suppliers.Whilst this is only for breaches determined as ‘higher risk’ (where there has been a risk of fraud or identity theft) it does actually set a relatively low bar as this information is of the type regularly collected and widely held by companies.
When is the new data legislation coming into force?
The EU General Data Protection Regulation (GDPR) is due to be enforced from 25th May 2018.
Will the GDPR still apply when the UK leaves the EU?
Yes, if you hold or transfer data of users from the EU.
What fines are likely to be faced due to a data breach?
The current cap of £500,000 will be increased to €20m or up to 4% of a company’s annual global turnover, whichever is greater.
How many fines have been imposed over the last five years?
- 2012: 17 fines totalling £2,143,000
- 2013: 14 fines totalling £1,520,000
- 2014: 9 fines totalling £668,500
- 2015: 18 fines totalling £2,031,350
- 2016 to 1st April: 8 fines totalling £911,000
Who will be accountable for the breach?
The GDPR will make the companies that are processing the data accountable for their data protection and therefore they will be the ones who will receive the fines.
What is Cyber extortion?
When an entity demands a ransom to restore or release IT systems or files which have been hacked.
What is business interruption cover?
Cover for lost revenue as a result of a ‘hacking event’ and includes the restoration expenses that are incurred whilst remediating the breach.
What is network security liability?
Liability cover for damage and claim expenses that come from an actual or alleged breach, error or omission which leads to the:
- failure to prevent unauthorised access and use to a system that results in data becoming damaged or deleted; theft or loss of the data; denial of service attacks against internet sites or computers.
- inability of a third party gaining access to your system that is authorised to.
- inability to prevent malicious code from being uploaded from your system to third-party computer or systems.
What is privacy liability?
Liability cover for if an insured fails to keep securely any electronic or non-electronic private or confidential information in their care, custody or control.
What is a privacy regulatory proceeding?
Cover for legal defence expenses, as well as penalties or fines that may arise from a regulatory proceeding from a breach of a privacy law caused by a covered security breach.
What are breach response expenses?
They cover crisis management, which includes the cost of credit monitoring services and public relations expenses that will arise from a security or a privacy breach. This will also cover the cost of notifying clients as required by various international laws or regulations, particularly in the US with state and federal laws.
What is media liability?
This covers the insured for intellectual property such as copyright infringement and personal injury such as defamation that result from an error or omission in the content of their website.
What is crisis containment cover?
A service which is typically provided by a public relations firm which can advise on the communication strategy after the event of a data breach to help minimise the damage to a company’s reputation.
What is hacker damage cover?
Reimbursement for costs of repair, restoration or replacement if a hacker causes damage to your websites, programmes or electronic data.
What is the darknet?
The darknet is an area of the internet that is encrypted and requires special software and configurations to access it. There has been significant rise in the trading of computer viruses that have been developed by hackers on the darknet. Other examples of illegal activities that occur are the purchasing of illegally obtained credit card numbers, false identities, weapons and even uranium.
What is malware?
This is a general term for different types of malicious software, such as computer viruses and spyware. In 2014 it was reported that there were nearly one million new malware threats released online every day, according to reports by Symantec.
What is phishing?
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by an entity disguising itself as trustworthy in a Facebook message or Tweet for example.
What is like-jacking?
Like-jacking occurs when criminals post fake Facebook ‘like’ buttons to webpages. Users who click the button don’t ‘like’ the page, but instead download malware.
What is link-jacking?
Link-jacking is a practice used to redirect one website’s links to another which hackers use to redirect users away from trusted websites to malware-infected sites that hide drive-by downloads or other types of infections.
What is a malicious insider?
A malicious insider, although less frequent, has the potential to cause significant damage due to their level of access. Administrators with privileged access are especially higher risk. According to the Ponemon Institute ‘data breaches that result from malicious insider attacks are most costly’.
What are exploited insiders?
These are individuals who have been mis-led by external par ties into providing data or passwords to access systems, databases or bank accounts.
What are careless insiders?
Careless insiders are those that may simply press the wrong key which accidentally deletes, modifies or sends critical information to the incorrect party.