There are many features to look for in a cyber insurance policy, from legal advice to business interruption to privacy breaches. Let’s talk through some of the most important elements of cover to help you decide what you need in a policy.
To start with, legal advice has become the aspect of cyber insurance most used by businesses, with 73% of organisations admitting to claiming legal assistance with their policy in a 2020 survey for the UK Government’s Department for Digital, Culture, Media and Sport. It is worth checking whether your insurance provider includes access to law experts as part of its package.
The best cyber insurance packages also include business interruption protection. This is at the core of cyber policies and means that if an IT failure or cyber-attack disrupts business activity, insurers will pay for the loss of income or increased costs of trading in the aftermath of an incident.
According to NimbleFins, another important aspect of cyber insurance is cover for privacy breach costs, as it protects a business from what could be hefty damages paid to customers if their data is leaked. This clause in a policy can also cover the cost of notifying customers of a breach, investigation costs and legal fees.
If a business relies on a complex private network to run its business it is worth ensuring a policy has protection for restoring computer systems as well.
Organisations that use many electronic devices should consider whether to include an asset replacement clause that would cover the cost of new devices or restoring lost, corrupt, or altered data. Sometimes asset costs can be covered by contents insurance, but it is worth checking the small print to see if your existing cover would include replacing electronics as the result of a cyberattack.
Cyber insurance cover features
Cyber insurance cover features third party protection to your customers and other contacts who are affected by a covered incident as well as first-party, direct costs to your business as a result of a cyber incident. The extent of coverage depends on your policy and whether it has both first party and third party protection.
First party cover can include:
Business interruption: This is the core policy in cyber insurance and covers loss of income or profits when a cyberattack or IT incident prevents trade from taking place.
Investigations: To find the source of the incident.
Managing an attack: Legal and other expert advice and assistance to help navigate the law and restore systems. This could be whether a business is the victim of a hack, data or security breach, virus, or IT network failure.
Cyber extortion: Practical advice if a ransom is ordered from hackers. In some cases (although not advised as the first port of call) insurers can cover the financial demand.
Recovering lost data or programmes: Experts can come to the rescue of a business to repair systems and bring back lost documents.
Restoring computer systems: To get a business back up and running.
Notification costs: Covering the expense of notifying customers or other third party victims of a data breach.
Reputation management: For example, funding a PR campaign or paying for free credit monitoring or credit protection services for affected customers.
Third-party protection covers costs relating to a customer base or other third parties. This can be invaluable in protecting a reputation and includes:
Media liability: Covering investigation, defence and damages if a third party has a claim of defamation as a result of private information published in the media.
Privacy protection: If a third party’s right to privacy has been breached by a lapse in security, insurance can cover legal defence costs and settlements.
Does cyber insurance cover ransomware?
Reputable cyber insurance policies cover ransomware attacks. This could include paying for an expert’s advice on how to negotiate with the hacker, as well as reimbursing the ransom amount paid under duress.
Cyber extortion – when a hacker seizes control of an organisation’s computer system or data until a fee is paid – is now standard in most cyber insurance policies. It is becoming more popular as businesses move online. In some cases, the ransomware policy can also cover the ransom theft – if the money is stolen on the way to the hacker.
Does cyber insurance cover GDPR fines?
It is unclear whether cyber insurance will cover GDPR fines, but policies should help with other implications of a GDPR breach, such as legal advice. Until there is a test case it cannot be said for certain whether cyber insurance will cover GDPR fines.
Under GDPR laws, fines can be up to €20 million or 4% of the company’s turnover, worldwide, whichever is greater. Fines are not usually covered by insurance as it negates the impact of the punishment, therefore they lose their status as a deterrent. Businesses should decide if fines are covered “to the extent insurable by law”, Lexology says.
Cyber insurance does cover legal advice and can pay for costs associated with reporting a GDPR breach to customers. Cyber insurance can also help with recovering lost data and other aspects of managing a security breach.