Guide to cyber-risk business insurance

What’s cyber-risk insurance?

Cyber insurance helps to protect your business against losses caused by incidents that have affected your IT systems and networks.

If your business relies on any sort of technology, it can be exposed to a range of cyber-risks.

Cyber insurance – which is sometimes known as cyber liability insurance – compensates you for the effects of a digital incident or security breach, like a major cyber attack on your IT systems.

Why does my business need cyber-risk insurance?

Cyber threats and digital incidents, such as system failures or security breaches, can have a big impact. Your business could experience considerable downtime, incur unforeseen costs, and you could lose valuable income and customer trust.

Cyber insurance is designed to protect your business from the costs, losses and business disruption caused by a digital incident.

A cyber incident, like data theft, can cause major disruption to your business. There can be costs to repair and recover your systems, and the incident can also mean financial losses to the business or even reputational damage.

How do I buy cyber-risk cover?

You can buy business insurance policies with business interruption, or professional indemnity insurance that include some level of cover for cyber-risks.

But to give your business full protection, you’ll need to take out cyber-risk insurance if you:

• Hold sensitive customer details – like names, addresses or banking information
• Rely on computer systems and websites to run your business
• Process payment card information online
• Use email to communicate or send information digitally

What does it cover?

Cyber-risk insurance covers the costs to your business that can result from something happening to your IT systems or networks. For example, a cyber attack could bring your website down or a digital incident could cause system failure or loss of customer information. 

Insurance for cyber-risks usually also includes specialist help to manage and recover from a cyber incident.

There are several cyber risks your business can be exposed to, and cover for these falls into two categories:

First-party insurance 

This is cover for cyber risks that directly affect your own business:

• Interruption to your business when your network goes down
• Loss or damage to your digital assets, such as your IT systems, data, software programs, and website
• Cyber exhortation, where hackers ‘ransom’ your data by threatening to damage or release it if you don’t give money
• The cost of having to notify customers when there has been a breach of security or privacy –  you are sometimes legally required to do this
• The damage caused to your business’s reputation or the loss of customers, following a data or security breach
• Money being taken from your account, or theft of your digital assets, when your electronic equipment has been stolen or you’ve experienced a digital theft 

Third-party insurance

This type of policy provides protection for assets that belong to others, like your customers:

• Breaches of security and privacy, and the costs associated with expert investigation into why and how the breach happened, legal defence costs and paying your customers compensation 
• Providing costs and damages that you’re legally liable to pay to other parties if you’ve failed to prevent a data breach, or if your IT systems have been cyber-attacked
• Loss of third-party data, including paying customers compensation if they’ve been unable to access their accounts or they’ve been unable to use your services as a result of a cyber incident

What are common cybercrimes?

There are several types of cybercrime that your business can be exposed to. The most common of these are:

• Malware attacks: The term ‘malware’ is short for malicious software. Cybercriminals create this software to access to personal data, steal financial information or damage devices. It’s installed without your knowledge and quickly transmitted to other devices and organisations. Types of malware include viruses, worms and Trojans.
• Ransomware: This is a type of malware, but works slightly differently by preventing you from using your device. Usually, ransomware asks you to pay a ransom to access your data. But a payment does not guarantee you access or that your files won’t be damaged.
• Hacking: This is when a cybercriminal breaks into your computer system through the internet. Once in, they can access your data without your knowledge and steal, damage or destroy information. A hacker can hijack usernames and passwords, open bank accounts in your name and cripple business operations.
• Phishing attacks: Presented as an innocent and genuine looking email, SMS or instant message, people are tricked into responding voluntarily and parting with personal data. Phishing is used to gain information such as login details and financial information.
• DDoS attack: This stands for Distributed Denial of Service and this type of attack happens when the cybercriminal uses multiple requests from multiple sources to overwhelm a company’s website or online service to limit it or prevent it from working.

Why do I need cyber insurance if I have cyber security?

It’s a good idea to protect your business as much as you can from cyber threats. 

Anti-virus software can help to minimise the chances of your business falling victim to cybercrime. But at the speed technology and hackers are evolving, cyber security can’t totally protect you.

Results from the UK government’s Cyber Security Breaches Survey show that in 2020 almost half of businesses and a quarter of charities reported having a cyber breach or attack. 

Some of these incidents had minimal impact, and businesses were able to recover quickly, but for others the negative impact of the breach or cyber attack was very costly.

Having cyber-risk insurance provides your business with an additional safety net to help make sure your business can cope and recover as quickly as possibly.

Managing cyber risks

As well as taking out the right protection cover, it’s important to manage the cyber risks your business is exposed to. This can help your business to be proactive and resilient in the face of cybercrime. 

If you don’t take reasonable care and precautions to protect your business and reduce your risk, this may invalidate any cyber-risk insurance claim.

There are many ways that you can help to put cyber security defences in place. These include:

• Regularly training staff on security policies and procedures, such as safe email use, restrictions for installing external applications and how to respond to IT incidents
• Keeping applications and software updated – there tend to be fewer vulnerabilities for cybercriminals to identify and target in newer versions
• Conducting a cyber risk assessment to help you identify and monitor the threats your business might be exposed to when it comes to first and third party risks
• Putting together a cyber-risk strategy and management plan to help your business prepare and respond to potential incidents before they happen
• Making regular backups of your most important files and creating multiple copies that are stored in different locations, and not permanently connected to your network

UK and European action to tackle cyber risks

With the increasing digitisation of our economy, digital technology is now touching almost every part of our everyday lives. 

But alongside this digital growth is our increased exposure to cyber attacks, which are now viewed as the highest risk to national security, alongside terrorist attacks. 

In response, the UK government has put in place a number of measures to help prevent and recover from cyber attacks, which include:

Cyber Essentials – a government scheme to help protect your business against a range of the most common cyber attacks. Certifying your business through the scheme helps you to address risks and put in defence measures to prevent the most common attacks.

National Cyber Security Centre (NCSC) – providing practical advice, guidance and support, the centre supports organisations, businesses, and the general public to help improve cyber security and respond to and recover from cyber security incidents.

Cyber Incident Response Scheme – this scheme helps organisations who are the victims of a significant cyber attack. The scheme certifies companies, who are approved by the NCSC, to carry out cyber incident response activities to help your organisation recover.