There’s always a lot to consider when it comes to Cyber insurance policies, from glaring differences to hidden fine print. Of course, a lot will revolve around the level of risk that applies to your business, but it pays to know the basics when comparing Cyber cover.
In this blog, we’ll provide our key tips to spot these main aspects, so you can make a quick comparison and select the right policy for you.
1. Does it include an effective cyber response service?
Hackers won’t wait until you’re in the office to attack your systems – so you need an insurer with an effective and available cyber response service 24/7, 365 days a year. Response services are on hand to tackle cyber issues immediately, mitigating the impact and allowing you access to agreed costs and services.
Without it, you’re left alone to tackle the incident until the insurer opens for business. Often, you would not get reimbursed for any immediate emergency costs incurred, as the policy might state that all costs need to be pre-agreed.
Our advice is simple: never take cyber insurance out unless they offer a 24-hour cyber response service, even if the premium is significantly lower. It’s cheap for a reason, but cyber breaches themselves are rarely insignificant.
2. Where does the policy cover operate?
It’s all well and good to take comfort in being a UK entity, but if you deal with data on individuals, there’s a chance this will include overseas nationals. Different countries have different regulations, and some – like the USA and Canada – can be pretty tough.
We’ve seen some cyber policies restricting cover to the UK only, which aren’t suitable for any modern business. But fortunately, most insurers give cover for overseas risks, with many doing so on a fully worldwide basis, both in regards to geographical limits (where they are based) and jurisdiction (under which courts the claims might come).
3. Does it cover fines?
Most fines, like criminal fines, aren’t insurable as it’s against public policy. But some civil ones are – for instance, it’s generally agreed within the UK commercial insurance market that ICO fines are likely to be allowable.
Therefore, it would be wise to find an insurance policy that will cover fines where allowed by law.
4. Does it cover ransom?
Paying ransoms after a cyber attack isn’t necessarily morally clean, and it can encourage future attacks elsewhere, effectively funding criminal activities.
That said, currently, many insurers tend to reimburse these amounts. Ransomware demands are no longer small – normally hitting six figures, so it is an important area to try to insure.
Not all insurers will cover it, and that’s unlikely to be from a moral perspective. It’s normally just the same budget insurers who don’t provide effective cyber response services in an emergency.
5. How long is the business interruption cover?
If you suffer a ransomware attack, it won’t be a quick fix. Specialists need to check that the threat is credible, that the extorters have accessed data, what data that is, where they gained access, and how to prevent it from recurring. This can leave your business out of action for a long time, losing revenue and incurring additional expenses. It can also lead to clients cancelling contracts, further impacting your business.
The quality and length of business interruption cover are paramount – and insurers know this. Having suffered large claims in the past, some are paring back.
For example, Hiscox generally provided three months of business interruption under their policies. But now, they’re reducing it to just one month for a lot of cases (correct at the time of publishing). While their position is logical for them, you need to do what is best for your business. The reality is that many insurers are giving indemnity periods of up to 12 months.
We recommend getting quotes for the longest period possible and bearing this in mind when deciding between insurers.
6. What limit type is the policy?
Most Cyber & Data policies are quoted on an aggregate basis – where the limit provided is for the whole year, without resetting after each claim. However, there are a handful of insurers willing to quote on an “any one claim” basis. We’ve discussed the differences between the two before, but, in essence, “any one claim” limits give more protection.
Additionally, it often helps comply with US contracts where they ask for both a per-claim limit and an aggregate one. For example:
A US contract requires an agency to have Cyber & Data cover at a £2,000,000 per claim limit and a £5,000,000 aggregate.
This means if your insurer is quoting on an aggregate basis, you will need to buy £5,000,000 to comply. However, if it’s on an “any one claim” basis, the agency would only need to purchase a £2,000,000 limit. This is because the aggregate limit is essentially unlimited.
So, keep an eye out for insurers quoting on “any one claim” basis as it can be a real benefit.
7. What’s the level of excess?
There are two types of excess for Cyber insurance: standard financial excess and “time excess”. The first can range from a few hundred pounds to tens of thousands, or a few hours to a full day.
Time excess is used as the trigger for business interruption. It sets a minimum time the organisation’s systems must be out of action following an attack before the business interruption section can respond.
With both excess types, you’ll want them as low as possible.
The excess level applied by insurers might be fair and reflect your risk level. However, it might be the default position or not appropriate for business exposure. It’s worth speaking to a broker about what is reasonable. Plus, some insurers reduce their excess if you take certain actions, such as complete training programmes or notify claims within certain periods.
8. What’s the scope of cover?
We can’t go into full detail on the fine print of every policy. It would be a ridiculously long blog that almost no one would read.
We can, however, point out a few key things to look for – does the cyber quote include or exclude the following?
Dependent business interruption
If an attack targets your own systems, they’re normally insured under Cyber & Data policies, but what happens when the attack is on your supplier?
It might just be a simple matter of a technology provider you outsource to being attacked. But if they are out of action, how would that affect your business? This isn’t always insured, so check the fine print to see if such scenarios are covered.
People are the weak link in cyber defence, so it’s a good idea to prioritise quotes that include cover for employee mistakes. You’ll probably need to check the fine print.
Property damage and bricking
Cyber attacks can cause property damage. While the doomsday scenario we all think of is a hacker crashing an aircraft, the real risk for businesses is damage to computer equipment, even from just making it overheat. And this is not always covered.
These are areas where claims are quite likely to occur, and although some insurers allow you to pay for an additional premium, it’s better if it’s part of the standard cover.
9. Does it include cyber risk management?
Many insurers now provide risk management tools free of charge for policyholders.
While good marketing, it’s not altruistic. It’s a sensible way for insurers to improve the risks of the businesses they protect.
These services usually involve employee training, simulated phishing attacks, and real-time web monitoring. The better ones will actually alert a business if they believe they have uncovered a vulnerability to fix it before hackers can take advantage.
Some insurers might reward businesses for using their risk management tools, like reducing their excess. Recently, we’ve seen the registration and use of these tools as a mandatory condition of cover. While strict, it’s a good idea.
10. Does it cover cyber crime?
Your normal Cyber & Data cover will protect you from any legal (cyber) liability following a breach or hack, but it doesn’t pay for any money stolen during the attack.
This is where cyber crime cover comes in: it’s a policy for your own funds and those you may hold for clients should you fall victim to a social engineering attack or funds transfer fraud. The limits are normally a lot lower, usually no more than £250,000.
With social engineering claims growing in number and attacks getting more sophisticated, this cover can be really crucial.
Note: Cyber and the Professional Indemnity package
It’s also important to note that some insurers won’t quote cyber in isolation for technology and media risks. Why? Because claims for cyber and data can often cross over into the Professional Indemnity territory. While insurers have sought to improve clarity, a data breach could easily trigger both policies still.
How can RiskBox help?
If you’d like to discuss a new Cyber & Data policy or review your existing plan, call us today on 0161 533 0411 or email email@example.com.
Uncategorized - December 5, 2023
Blog - October 16, 2023
Blog - October 9, 2023