Cyber Insurance Guidance for Businesses  

For many businesses, handling personal and sensitive data comes with the territory and is considered to be a key business activity. That’s why those handling personal data must dedicate time to ensure they have had the relevant data security training needed in order to do their job, or run their business effectively.

By deploying the correct data security measures, it’s possible to safely manage risk when handling personal data, however things can unfortunately go wrong. When it comes to cyber security, even the most robust processes can sometimes be circumvented and data can be lost or exposed. Whether that’s because of a professional mistake, an issue with technology, or the result of an ill-intentioned person, data security breaches are bad news and could cost your businesses a lot of money should a claim be raised against you.

That’s why cyber insurance is an essential cover for any business which manages or handles digital based personal data in any capacity.

The severity of a cyber incident tends to determine the financial impact it will have on a business. During such an event a business could expect to have to pay for:

• The recovery of lost data
• Investigations into how the incident occurred
• Upgrades to systems
• Court settlements and fees raised as a result of the breach

Even relatively small cyber incidents could end up costing your business a lot of money.

According to the Cost of a Data Breach 2022 report by IBM, the global average cost of a cyber incident to a business is $4.43m, or as much as double that for breaches taking place in the United States. Shockingly, the report estimates that for 83% of businesses in the US, it’s not a case of ‘if’ a data breach occurs, but ‘when’.

Globally, the most costly breaches include:

• Phishing - $4.91m

• Compromised email addresses - $4.89m

• Third-party software vulnerabilities - $4.55m

• Ransomware attacks - $4.54m

• Compromised passwords - $4.50m

Most strikingly the report found that on average it took a total of 277 days for a data breach to be detected – this really provides insight into just how debilitating a cyber incident can be. Some businesses may not even notice personal and sensitive data being stolen, manipulated or lost for a significant period of time, after which point the level of damage inflicted could be catastrophic. 

The report by IBM looks at data breaches on a global scale, but a very similar picture is painted when you focus on breaches in the UK alone. The Cyber Security Breaches Survey is a government project which aligns with the National Cyber Strategy to research and document cyber-attacks in the UK.

The key findings of the latest survey show that during the last 12 months, 39% of registered UK businesses identified a cyber-attack on their company, this data mirrors the data from 2021. During 2020, as many as 46% of businesses identified a cyber incident also, proving that over the years, data breaches have had a major impact within UK businesses.

Furthermore, according to the report, the average cost to a business involved in a data breach in the UK is between £4,200 - £19,400. The report does highlight however that this figure is likely to be underreported and therefore the average cost to a business is probably higher.

Phishing attempts made up the majority of UK cyber-attacks over the past 12-months (83%). However, one in five businesses identified a ‘sophisticated attack’ such as; DDoS (Denial of Service), malware or ransomware attacks – these types of attack tend to have more significant consequences than phishing attempts and therefore tend to be associated with higher costs too.

One of the most famous examples of a high profile, long term data breach involves Meta (previously called Facebook), which has recently been ordered to pay out $725m in a class-action lawsuit, in the wake of alleged privacy violations during the Cambridge Analytica scandal. Cambridge Analytica (a British consulting firm) used a third-party app to obtain personal data from a reported 87 million personal Facebook profiles, failures by Meta are thought to have allowed this to happen.  

This settlement makes it the largest cyber incident settlement ever recorded in the United States, and sheds light on just how seriously the courts take such incidents. 

Ultimately, businesses have no legal obligation to take out cyber insurance, however for any business which uses digital technologies and handles personal data, cyber insurance comes highly recommended.

In some limited and specific instances, your business interruption cover may include a level of cyber cover, however you shouldn’t just assume that this is the case – if uncertain, you should contact your insurer or broker to ensure you have adequate cover to suit your business needs.

Since cyber threats are so varied, it’s always best to take out a cyber insurance policy that covers a range of eventualities, should the worst happen you need to ensure your business is adequately covered as the costs associated with a cyber incident, as we have discussed earlier, can be astronomical.

When taking out cyber insurance, there’s a number of questions that you should ask to ensure that your cover is adequate, indeed, working with a qualified insurance broker is the best way to go about this as brokers have the intricate knowledge needed to ensure the right questions get answered and that the best possible cover can be provided.

Some of the questions you should consider include:

• What data, systems and devices need to be covered?
• Do I need any specific software? i.e. anti-virus, encryption, etc.
• Will I need to keep my systems and mobile devices updated?
• What prerequisites must the business consider? i.e. password protection, specific allocation of items, etc.
• What types of cyber incident could the business be impacted by?
• What types of cyber incident are covered by the policy?
• Does the policy cover claims by third-parties?
• Are the limits of the policy appropriate to that business?
• Does the insurer provide any immediate services in the event of a cyber incident?
• Does the insurer provide any additional, after incident support?
• What measures need to be in place to make a claim?

When taking out a cyber insurance policy it’s important that you remain in close contact with your insurer or broker, this is because the digital landscape is forever evolving and new risks regularly present themselves. Good communication can ensure that your business has the correct and most up to date cover. For example, if your business switched to using a new service to host personal information, the insurer would need notification of this to ensure the policy remains valid, or that any necessary changes can be made in order to accommodate the new service.

Above all, the protection of data is paramount and whilst businesses are moving their data storage to electronic devices it is making protecting it much more difficult. The cyber-scape is a complex place, it’s ever changing and there are so many factors to consider when securing data that the chance of something detrimental happening is higher than ever before.