What you need to know about cyber liability

What you need to know about cyber liability

According to the UK Department for Digital, Culture, Media and Sport’s Cyber Security Breaches Survey 2020 almost half of businesses (46%) report having cyber security breaches or attacks in the last 12 months. In addition, among the 46 per cent of businesses that identify breaches or attacks, one in five (19%) have experienced a material outcome, losing money or data. Two in five (39%) were negatively impacted, for example requiring new measures, having staff time diverted or causing wider business disruption.

 

Bear in mind this data only includes those businesses that have actually identified a breach.  It is possible that breaches may go unnoticed or unreported internally.

Despite this, only 32% of businesses report being insured against cyber risks.

There are numerous ways that cyber criminals might attack your business: Phishing, Denial of service, Man-in-the-middle, Malware, Ransomware and Direct Hacking attacks are all common occurrences and are certainly not restricted to large businesses.  Indeed, smaller business may be seen as the easier target due to a perception that smaller businesses may not have the most sophisticated protections.

These attacks are usually after sensitive data that you hold in your systems, as this data can be used in a multitude of ways that could severely impact your business; some examples of which may be:

• yours or your clients’ data being sold on the Dark Web
• to extort money from you in the form of ransoms
• to gain access to yours or your client’s bank accounts etc.
• to wreak reputational damage on your online social media or website
• email addresses being used to elicit personal data from third parties or onward propagation of viruses and malware etc.

In addition, these attacks may also cause physical damage to hardware, divert a substantial amount of staff time into dealing with the repercussions and potentially cause loss of revenue to your business.  This is all in addition to the likely punitive measures incurred as a breach of GDPR. 

Cyber Risks are not easy to manage especially when considering the average percentage of staff employed within small firms that use personally-owned devices to carry out regular work-related activities is approximately 50%.* This coupled with the increased usage of IT equipment at home, following recent events, may pose additional risk management challenges.

Cyber liability policies can help to protect your business from claims and expenses resulting from a data breach relating to your IT systems and networks.

These losses take the form of either ‘First Party losses’ – your own business assets – or ‘Third Party Losses’ – assets of others, typically your customers.

Examples of First Party Losses that can be insured include:

• Loss or Damage to Data
• Loss of Income and Additional Expenditure
• Cyber Extortion
• Customer Notification Expenses
• Theft of Money or Digital Assets
• Public Relations and Crisis Management Expenses
• Forensic experts to investigate and advise
• Loss prevention measures
• Fines and Penalties (except those that cannot be insured against by law)

Examples of Third-Party Losses that can be insured include:

• Fines and defence costs arising in respect of security and privacy breaches except fines that you cannot insure against by law
• Damages and defence costs that result from unintentionally transmitting, or failing to prevent or restrict the transmission of, a computer virus, hacking attack or denial of service attack from your computer system to a third party
• Loss of third-party data, including payment of compensation to customers for denial of access, and failure of software or systems

Examples of Exclusions or Policy Conditions may include:

• Punitive Fines and Penalties are excluded.
• Excess for Loss of Revenue claims under Cyber policies are typically time based e.g. you must have been affected for more than 12 or 24 hours.
• The cost of correcting any failings in procedures, systems or security are generally excluded.
• Product Liability or Professional Indemnity is excluded as this can be covered under more specific policies.
• The cost of normal computer system maintenance is excluded.
• Losses arising from External Network Failure are generally excluded.
• There are requirements for policyholders to back-up data – normally at least every 7 days – and that data is stored safely.
• There will also be a requirement that, where available, computer systems must be protected by a virus-protection software package which is paid for and up-to-date.