Cyber & Data Risks Insurance
Each year when completing a review of their insurances, most businesses will look at uninsured exposures with their insurance broker. Most of these can be reasonably ignored following simple cost-benefit analysis, but cyber is more difficult in that the associated risks and their potential cost to a business are still developing. It is anticipated though that the frequency and severity of such incidents will continue to rise, mirroring the experience of North America where cyber risks are given a higher regulatory and boardroom prominence. In the US it is now estimated that over 75% of corporate businesses purchase cyber insurance.
Different businesses will be exposed to cyber risk in different ways; some are reliant on their website to drive turnover, some rely on a hosted accounting or billing system to operate whilst others hold sensitive client data or intellectually valuable data on their systems. There are a multitude of scenarios that leave a business exposed to internal and external electronic threat. The failure of an IT network could be debilitating and a good first step is to identify and take steps to mitigate external and internal IT risks. These include:
• data theft or data loss
• hijacks where hackers gain control of a system and demand a ransom to restore service
• bot scams where viruses are used to take over large numbers of computers
• basic human error (internally generated risks should not be overlooked and continue to be the most common proximate cause to a cyber loss)
Notification costs following the loss of third party data is now a major concern for EU business following GDPR. Safekeeping of data is the responsibility of the customer facing entity, notwithstanding that a third party processing company may have been the party that lost the data and/or contractual terms making a third party responsible for notification. This means if you are hacked and lose your customer data (names, addresses, credit card numbers etc.) you will need to report the loss to the data commissioner, possibly pay PCI fines, pay the cost of notifying your customers that they are at risk, pay for advice to manage their risks and pay PR costs to manage the potential damage to your brand and reputation. All of these risks can be insured and cyber insurance will additionally cover fines and penalties associated with regulatory investigations due to a privacy event.
The other major threat to a business may be the loss of a website and a resultant loss of revenue. Again, this can be insured.
The cyber insurance market has been developing at a rapid pace over the past five years as experience has been gained by insurers. Areas of cyber-risk that can now be insured include:
• replacing, restoring or recreating data that has been corrupted or destroyed by network failure or first/third party intervention
• loss of data and notification management costs
• criminal threat or extortion to release sensitive information or bring down a network unless demands are met
• loss of income and extra expenses resulting from when a network is interrupted by attack. Covers criminal hackers, malicious insiders and denial of service (DOS) attacks, (including extortion monies)
• payment fraud (deception of the insured’s customers into transferring over funds)
• public relations expenses and crisis management
• disaster recovery activation costs
• fines and penalties where insurable by law
• use of leased / rented external equipment
• use of third party services
• additional staff expenditure and overtime payments
• terrorism risk, including ideological risk (LulzSec, Anonymous etc)
James Hallam Insurance Brokers have been placing cyber risk in the London market for over fifteen years. We source cover to insure against all of the above threats and, in addition, we can protect against risks that the majority of cyber insurers omit. For example, our favoured market will also provide:
• the provision of first party cover on an “each and every claim” basis, ensuring that policyholders aren’t restricted by a policy aggregate and that the full benefits of cover are available each time a crisis strikes, even if they experience multiple cyber incidents in the same policy period
• full retroactive cover as standard, meaning that policyholders are covered for breaches they discover during the policy period, even if it first occurred long before. Symantec has reported that the average time to discover a breach is 205 days, making this a particularly important feature
• an extensive in-house incident response capability to ensure that cyber incidents are dealt with quickly and efficiently in real time. Initial response services are offered with no deductible payable by the insured
• broader cover for senior executive officers who are regularly targeted in cyber attacks, covering theft of personal funds of individuals as well as those of the company
• if a suit is brought against directors and officers following a cyber attack, the policy provides affirmative cover in the event that their management liability policy doesn’t respond
• incident response costs are provided in addition to the policy limit
• no excess is applied to the initial reporting and investigation costs
• full systems failure is covered, including resultant business interruption
• full Supply Chain is covered, including Technology suppliers (and non-Technology suppliers if named)
• Cryptojacking and Botnetting are included under the definition of Cyber Crime
• Additional Extra Expense coverage is included for costs above the normal operating expenses of a business
• Hardware Replacement coverage is included for computer hardware or tangible equipment damaged as a result of a cyber event
Some points to consider when discussing Cyber Risk with your clients
Dealing with a ransomware incident is rarely a simple matter of the ransom payment being made and the business in question automatically regaining access to their systems and data. Even after a ransom payment has been made, and assuming the system can be successfully decrypted, the ransomware can have the unintended side effect of severely impairing the functionality of one or more of a business’s vital systems.
The use of legacy systems can significantly increase the risk of a cyber loss. Generally speaking, legacy systems are not only far more vulnerable to attack, they are also much more susceptible to dysfunction following a cyber attack.
The importance of having data re-creation cover is becoming increasingly apparent. Many cyber policies only provide cover for the cost to recover or restore data from back-ups, but not the costs to re-create or re-enter lost data from scratch. The bulk of the costs to a claim can come from the labour costs associated with manually re-entering data, and brokers should be sure to check that their clients have this important cover in place.
Almost all modern businesses have some form of cyber exposure. Even if a policyholder does not solely rely on their computer systems to carry out work, they will still have an office function that playing a key role in the running of the business. When the computer systems in an office are affected by a cyber event it will almost certainly have a negative impact on the overall business operation and having a cyber insurance policy in place will provide a valuable safety net for the company.
James Hallam can place cyber insurance in the London Market for business domiciled almost anywhere worldwide so please feel free to get in touch if you would like us to assist you and your clients.