Here we take a look at cyber security, why you may decide you need it, how much it costs, and where to get it.
What Is Cyber Insurance?
Cyber insurance is a type of insurance policy designed to protect businesses and individuals from internet-based risks, and more generally from risks relating to IT infrastructure and activities. It provides coverage for financial losses that result from cyber incidents such as data breaches, network damage, and cyber extortion. For example, businesses may face costs resulting from data/security breaches, media content liability (e.g. intellectual property infringement), GDPR defence costs or paying GDPR fines, credit/debit card breaches, data breach response services, data breach notification, legal fees, system repairs, and more.
Why Would Your Business Need Cyber Insurance?
Just as we need to ensure our most valuable and valued physical-world possessions are protected (e.g. our homes and cars), we now live in a digital age where people and businesses now rely heavily on technology and online platforms to operate efficiently. However, this dependence makes businesses vulnerable to a range of cyber-threats, including data-breaches, ransomware attacks, and hacking incidents. Even a single cyber-attack can result in substantial financial losses, legal liabilities, and reputational damage. Cyber insurance, therefore, provides a safety net, so that businesses can recover financially and operationally from these incidents. By covering costs such as data-breach notification, legal fees, and system repairs, cyber insurance helps mitigate the financial burden of cyber-attacks.
Risk Management Too
Cyber insurance can also play a crucial role in risk management. For example, it encourages businesses to assess their cyber vulnerabilities and implement robust security measures.
Insurers often require policyholders to adhere to specific security protocols, which enhances overall cybersecurity standards. This proactive approach not only reduces the likelihood of an attack but also ensures businesses are better prepared to respond effectively if one occurs. Therefore, having cyber insurance is not just about financial protection, but it’s also about fostering a culture of cybersecurity within the organisation.
Not Forgetting Regulatory Compliance
In addition to financial and security benefits, cyber insurance is essential for regulatory compliance. Many industries are subject to strict data protection regulations, such as the General Data Protection Regulation (GDPR) in Europe and non-compliance can, of course, result in hefty fines and legal consequences.
Cyber insurance policies, therefore, often include support for regulatory compliance, helping businesses navigate complex legal requirements and avoid penalties. By providing resources for legal counsel and regulatory guidance, cyber insurance ensures that businesses can meet their obligations and maintain trust with customers and stakeholders.
What Kind Of Things Does It Cover?
As mentioned above, broadly speaking, cyber insurance aims to provide financial cover for things like data breaches, network damage, and cyber extortion. Cyber insurance for UK businesses actually provides comprehensive coverage for various cyber-related incidents. Here are some examples of what it typically covers:
Data Breach Response
– Notification Costs: Covering the expenses of notifying customers and affected individuals after a data breach.
– Credit Monitoring Services: Providing credit monitoring to those whose personal information has been compromised.
Business Interruption
– Loss of Income: Reimbursement for lost revenue due to a cyber-attack that disrupts normal business operations.
– Extra Expenses: Covering additional costs incurred to keep the business running while dealing with the cyber incident.
Cyber Extortion
– Ransom Payments: Payments made to cybercriminals to regain access to data or systems.
– Negotiation Costs: Expenses related to negotiating with extortionists and managing ransom demands.
Legal Fees and Defence Costs
– Third-Party Claims: Legal expenses arising from lawsuits due to a data breach or security failure.
– Regulatory Fines and Penalties: Coverage for fines and penalties imposed by regulators for data protection breaches, such as those related to GDPR.
Crisis Management
– Public Relations: Costs associated with managing and repairing the company’s reputation after a cyber incident.
– Forensic Investigation: Expenses for investigating the cause and extent of the cyber-attack.
Network Security Liability
– Liability Claims: Coverage for claims arising from failure to protect data, resulting in data theft or corruption.
– Defence Costs: Legal defence costs for claims related to network security breaches.
Media Liability
– Defamation and Infringement: Coverage for claims of libel, slander, copyright infringement, or defamation resulting from digital content.
Technology and Data Recovery
– Data Restoration: Costs of restoring and recovering lost or corrupted data.
– System Repair: Expenses for repairing or replacing damaged hardware and software
You may be thinking after looking at this list that there are many more costs than you may have thought associated with dealing with the results of a data breach, cyber-attack, or serious and disruptive network issue. These costs, plus the high levels of ever-more sophisticated cyber-crime, may be the arguments behind many businesses now having cyber insurance.
What Proportion of Businesses Now Have Cyber Insurance?
Considering the large potential costs of dealing with a serious cyber / network incident (as shown above) it may be a surprise to know that the proportion of businesses with cyber insurance in the UK is still relatively modest. For example, the latest data shows that only 43 per cent (UK Home Office 2024) of UK businesses have a cyber insurance policy in place and within this group, a small fraction, around 5 per cent (Insurance Business UK), have specialised cyber insurance policies tailored to their specific needs. Most companies rely on broader policies that include some form of cyber risk coverage as part of their overall insurance package.
This may be particularly surprising given that according to the Cyber Security Breaches Survey 2024 by the Department for Science, Innovation and Technology (DSIT):
– 32 per cent of businesses and 24 per cent of charities experienced a cyber security breach or attack in the past 12 months.
– Among larger businesses, the figures are higher, with 45 per cent of medium businesses and 58 per cent of large businesses have reported cyber-crimes.
– The average short-term direct cost for businesses dealing with a cyber incident was £1,650, which increases to £6,490 for medium and large companies.
– Long-term direct costs, which include expenses incurred after the initial breach, averaged £782 for all businesses but reached £6,010 for larger firms.
Who Provides It?
Several examples of the well-known insurers in the UK market that offer cyber security insurance include:
– AXA provides comprehensive cyber insurance that covers a range of cyber risks, including data breaches, business interruption, and cyber extortion.
– Aviva offers cyber insurance policies that can be tailored to businesses of all sizes. Their coverage includes protection against data breaches, cyber extortion, and business interruption caused by cyber incidents, and there is access to a 24/7 cyber incident helpline and expert support.
– Hiscox provides coverage which includes costs associated with data breaches, cyber extortion, and third-party liability, and it offers risk management tools and resources to help businesses improve their cyber security posture.
– Zurich’s offers cyber insurance policies covering a wide range of cyber risks, including data breaches, network security failures, and cyber extortion. Zurich also provides access to a global network of cyber experts and offers pre-breach services to help businesses mitigate their cyber risks.
There are, of course, many other companies that offer cyber insurance. For example, even Amazon now offers it with AWS Cyber Insurance Competency Partners, and through a partnership with Superscript is offering cyber insurance to small and medium-sized businesses in the UK. For example, Amazon Business Prime users can access it product by logging in to Superscript using their Amazon account.
How Much Does It Cost?
Obviously, the price of cyber insurance varies according to factors like the size of the business, the level of coverage, and the industry. However, as a very general guide:
– Small businesses in the UK may expect to pay around £115 per month for cyber insurance / £1,380 annually (Insureon), which can fluctuate depending on the specific risks associated with the business and the amount of sensitive data handled.
– Medium-sized businesses may see premiums ranging from £1,500 to £5,000 per year, with the variation being due to the higher risk and more significant potential losses associated with larger volumes of data and more complex IT systems.
– For large businesses, cyber insurance costs can range from £10,000 to £50,000 annually and can include higher coverage limits and broader protection against various cyber threats (reflecting the greater complexity and risk involved).
What Does This Mean For Your Business?
The rising tide of cyber threats highlights the urgent necessity for businesses to not just strengthen their cyber security measures, but also to consider adopting comprehensive cyber insurance policies. Cyber-attacks are not only becoming more frequent but also increasingly sophisticated, posing severe risks to financial stability and operational continuity. For businesses, this means that traditional security measures alone may no longer be sufficient. Cyber insurance provides a critical safety net, offering financial protection against the costs associated with data breaches, business interruptions, and other cyber incidents.
Investing in cyber insurance can significantly mitigate the financial and operational impacts of cyber-attacks. Policies typically cover a range of expenses, from data breach notifications and legal fees to system repairs and business interruption losses. This ensures that businesses can recover more swiftly and maintain their operations with minimal disruption. Also, cyber insurance often includes access to expert support and resources, helping businesses to manage incidents more effectively and reduce the risk of recurrence.
In addition to financial protection, it’s important to remember that cyber insurance also plays a crucial role in regulatory compliance. For example, many industries are subject to stringent data protection regulations, such as the GDPR in Europe, and non-compliance can result in hefty fines and legal consequences. Cyber insurance policies frequently offer support for navigating these complex legal requirements, helping businesses to avoid penalties and maintain trust with customers and stakeholders.
For businesses evaluating their need for cyber insurance, it’s important to consider the broader benefits. Beyond immediate financial coverage, having a cyber insurance policy can drive improvements in overall cyber security practice. For example, insurers often require policyholders to implement robust security protocols, fostering a culture of proactive risk management within the organisation. This not only reduces the likelihood of successful cyber-attacks but also ensures that businesses are better prepared to respond effectively when incidents do occur.
Given the substantial costs associated with cyber incidents, the investment in cyber insurance becomes a strategic decision. Whether you are a small business, medium-sized or a large corporation, the protection and peace of mind offered by cyber insurance can be invaluable.
The evolving landscape of cyber threats, therefore, appears to necessitate a multifaceted approach to cyber security and you may decide, for all the reasons mentioned above, that cyber insurance should be a cornerstone of this strategy for your business.