What is cyber insurance?
To varying degrees, businesses have insurance in place to protect from the impacts of crime, accidents or errors. However, business insurance is struggling to keep up with digital transformation and the new and constantly evolving cyberthreats and the risk they present to business.
This isn’t to say that specialist insurance isn’t on the market. Early adopters are offering cybercrime insurance, with new products being launched at a steady pace. But cyber insurance policies are frequently lacking in clarity, in large part due to the constant emergence of new cyberthreats, tactics and vulnerabilities. Watch a five-minute overview of where today’s biggest cyberthreats originate and how you can reinforce IT in line with cyber insurance.
In short, you may not be covered for cyberthreats that develop after you initially sign up to a policy. Equally, since insurers recommend policies based on current risk, your circumstances may change to the point you’re left with inadequate cover.
How does it work?
We all know how insurance works – something goes wrong that results in financial loss, and we turn to our provider to pay out on an eligible claim. Things aren’t quite so straightforward with cybercrime insurance though, and thanks to a combination of misinformation, poor awareness and unmanageable rates of risk development, many businesses wrongly believe they’re covered or fail to take out specific insurance at all. A worrying 52% of businesses assume their business insurance covers cybercrime when this is rarely the case. Most insurers exclude electronic data under the definition of “covered property”, and general liability won’t cover it either.
It can be difficult to get cover in the first place, especially for smaller businesses or those just beginning their digital transformation journey. Securing a policy often depends on the implementation of certain digital security practices and compliance policies, meaning a business could be thousands of pounds out of pocket before they’re even eligible. Experts are also concerned that businesses will simply take out the most basic cyber insurance policies due to lack of education or professional advice.
Cyber insurance panic purchasing
- The impact of WannaCry, a 2017 ransomware attack that locked down over 300,000 Windows 7 computers and demanded between $300-$600 per device, was a major driver of change in insurance. One of the biggest hit victims was the UK’s National Health Service, which experienced a critical systems lockdown in 36 hospitals.
- In response, cyber insurance adoption increased, with finance among the sectors doing most of the buying. SecureData, a cybersecurity company, characterises the purchasing as a “mad panic”.
- As WannaCry targeted legacy equipment, victims were deemed ineligible for compensation due to voluntary risk – i.e. running old equipment with known cyberattack vulnerabilities.
- The cost of lost productivity was estimated as an incredible $4bn.
The potential damage
1. Revenue, business stability and share price
The finance industry and finance departments typically experience the costliest breaches due to their proximity to funds. They also suffer higher than average rates of lost business and customers, and larger fines. Direct and indirect costs ultimately seriously impact cash-in-bank, current and ongoing business stability and if a listed company, share price and investment attractiveness.
Such loss of money can be catastrophic and will certainly change the shape of many unprepared businesses. According to research by the Ponemon Institute and IBM, the average cost of a data breach averaging £2.99 million in the UK. However, having cyber insurance in place will significantly reduce the blow by covering direct losses, allowing victims to focus on recovery strategy.
2. Brand and reputation
Any data breach or cyberattack on a finance business or department is the stuff of PR nightmares. The public and investors expect funds to be watertight and protected by any means necessary – therefore a cyberattack event suggests complacency and shakes trust. If customer data or cash are affected, brand and reputational damage will be much more severe in duration and intensity. This is all without touching on the career threat to the overseeing executive, who may be pressured to resign following a breach. Cyber insurance will at least ensure that customers are compensated and feel no ill-effects, increasing your chances of recovering brand position.
3. Fines and GDPR
Thanks to the GDPR, the ICO now has the power to issue eye-watering fines when businesses are found to have failed in their duty to protect customer data. In 2019, the ICO announced their intention to fine BA £183m and Marriott £99m for signification data breaches. For most organisations, these figures are absurdly high, but the threat remains.
How to minimise risk
1. Take out a cyber insurance policy
Ensure you’re equipped with an appropriate cyber insurance policy that will pay out for breaches, customer losses and if possible, associated liability. Seek out a product that offers flexibility and will cover threats that emerge throughout the duration of the contract. To get the best-aligned policy and price, review your cybersecurity before applying and consider partnering with an IT managed service provider for extra peace of mind.
2. Review data protection policies
The GDPR demands that businesses are more disciplined when it comes to data. After insuring both the business and its customers against cybercrime, review your data protection policies against regulations and legislation to ensure that you’re not only meeting requirements, but have sealed any other gaps. Robust data protection policies won’t just save you from fines and get you a better insurance rate – it can be a first line of defence against attack, too.
3. Voice cyber concerns at board level
Being aware and educated about cybercrime and the ways in which its impacts can be reduced is a critical step in securing the heavily targeted finance sector from attack. We recommend that you voice cybersecurity and current and future threats to the board, so that everybody has full visibility of risks and available solutions. Use this to shape a compelling business case for securing budget for the best possible cyber insurance.
4. Invest across your cybersecurity vertical
Audit current cybersecurity measures – from training to software and business continuity – and work with a provider to plug any gaps and fortify defences. This won’t just secure you a better insurance policy rate as mentioned above. By adding extra layers of cybersecurity, you can potentially minimise the amount you need to claim on which can improve your cash position and stabilise policy costs for accurate financial planning.
With strong disaster recovery, you can also bounce back from a breach quicker and resume trading while waiting for insurance to process. This means that you continue to make money organically and cash flow suffers less of a hit.
For information about how K3 can help with your cyber resilience, click here. For more great free cybersecurity resources, visit our Security Surgery. Or to chat with one of our advisors, contact us via email or call us on 0844 579 0800