There will definitely be attempts to hack your business, school or organisation’s computer systems every day. The question is, should you buy cyber liability insurance, and if so, how do you choose the right policy and level of cover?
This page offers generic guidance, so not all of it may be relevant to your particular circumstances. We outline what a typical cyber liability insurance policy should cover, what you must do to make your cyber liability insurance worth having, and how we can help you manage your cyber risks.
Why might I need cyber liability insurance?
Every day, there are millions of hackers around the world, trying to break into networks like yours. There are literally high-rise buildings full of these hackers in countries like Russia and China. They even outsource parts of their hacking activities to other specialist hacking groups, because hacking generates huge amounts of money and has fully evolved into a mature business model.
What are the risks to your own organisation?
If you’re reading this, you are probably responsible for a business, school or other organisation that relies on its IT infrastructure for certain critical activities. If you work for a company, it will be exposed to the risks of business interruption, loss of income, damage management and repair, and possibly reputational damage if your IT systems are interrupted. If you run a school, it would face not only reputational damage but violations of safeguarding duty, data protection obligations and would simply be unable to remain open while you faced potentially huge costs to rectify any potential breach.
Would cyber liability insurance be relevant to my organisation’s type of risk?
Cyber liability insurance covers the financial losses relating to damage to, or loss of information from, IT systems and networks. A cyber insurance policy might be the right way to cover your liabilities (the costs you would have to pay to an injured party) if you:
- Hold sensitive customer, employee or pupil details such as names and addresses, banking information, medical records and so on,
- Rely heavily on IT systems and websites to conduct your daily work,
- Process payment card information as a matter of course.
Your organisation may already hold other types of insurance policy that could cover certain losses in a cyber breach, including commercial property insurance, business interruption insurance and professional indemnity insurance. When considering cyber liability insurance, make sure you are clear on what you’re already insured for so that you don’t waste money double-insuring yourself.
What does cyber liability insurance cover?
A cyber liability insurance policy would cover your financial losses resulting from or relating to damage to your IT systems and networks, and losses of information from them.
The devil is in the detail, of course. Cyber insurance policies tend to be modular, so a business insurance broker who understands cyber insurance – and not all of them do – can help to pick out the clauses you need, and not make you waste money on cover and clauses you don’t need. If you’re reviewing a cyber liability insurance policy, your broker should be able to explain each type of cover, how you might need it, and how much it would add to the price of the policy.
Clauses that a cyber liability insurance policy could include:
- The cost of technical assistance to manage the cyber breach itself
- Your liabilities, in other words, compensation you would have to pay to others
- The cost of managing damage to your reputation
- Costs resulting from regulatory enforcement (fines and other penalties) if that’s relevant to your organisation.
Like your car insurance, cyber liability insurance can cover third party risk, or first party risk or both.
First-party cyber liability insurance
First-party insurance covers your business’s own assets. This can, but doesn’t always, include any of the following:
- Loss or damage to your digital assets such as data or software programmes
- Business interruption from network downtime
- Cyber extortion, where hackers threaten to release confidential and sensitive data if you do not pay them – usually in bitcoin or other untraceable blockchain assets
- Customer notification expenses, when you have a legal or regulatory requirement to notify customers of a security or privacy breach
- Reputational damage caused by a breach of data that results in loss of intellectual property or customers
- Theft of money or digital assets, through physical theft of equipment or electronic theft
Third-party cyber liability insurance
Third-party insurance covers the assets of others, usually business customers but also school pupils or even members of the public. This may include:
- Security and privacy breaches. In this case you could claim for the cost of the investigation, your legal defence costs and possible civil damages associated with them that you might have to pay.
- Multi-media liability. This would cover the investigation, your defence costs and the civil damages you might have to pay as a result of your hacked data containing defamation, and from breaches of privacy or negligence arising from sensitive data getting published electronically or in print media.
- Loss of third-party data, which would include the cost of paying compensation to your customers for denial of access, and any other losses they suffered because of the failure of your software or systems.
What level of cyber liability insurance cover should I get?
Cyber liability insurance policies for smaller businesses are available with cover limits between £100k and £5 million. Far higher amounts of cover are available for large firms which could be liable for larger pay outs, and these firms tend to divide their cyber liability insurance cover between more than one insurance policy and form.
Any insurance broker who deserves your business should know how to help you calculate the right level of cover for your organisation’s size and the level of risk you are exposed to. We suggest talking to several different insurance brokers before you make your decision about your cyber insurance so you can compare the quality and depth of questions they ask and evaluate which of them seems best informed.
The right reason and the wrong reason to buy cyber liability insurance
Now we come to the biggest misconception of all in the whole question of cyber liability insurance.
The wrong reason to buy cyber liability insurance
Many businesses and schools think that this insurance is a great way to cover any holes in their cyber security protections such as anti-virus, ransomware protection, email and data backups or internet filters. They hope it might be the best safety net if they forget to install security patches as soon as they are released, overlook staff cyber security training, or never carry out backup restoration simulations and controlled phishing tests.
This is absolutely the wrong reason to buy cyber insurance, and the explanation is simple. If you have overlooked any of these sensible precautions, your cyber insurance claim will be rejected. It’s a bit like thinking your house insurance will still pay out if you go on holiday leaving the front door wide open.
When you submit a cyber liability insurance claim, you have to include documentation on all the sensible precautions you took to try and prevent the hack taking place. Not having cyber security documentation to submit with your claim is one reason for claims to be rejected.
The right reason to buy cyber liability insurance
So, what’s the right reason for buying cyber liability insurance? Sadly, no matter how many precautions you take, there’s no such thing as being un-hackable. If you can answer YES to all these questions, you may have good reason to buy cyber liability insurance:
- If you fell victim to a cyber attack, would you be unable to cover your direct financial losses, or pay for all your liabilities to compensate others?
- Would you be unable to claim for these losses through other insurance policies that you already have?
- Are you taking every reasonable precaution to protect your systems from hackers, in proportion to the risk level of your type of business or professional activities?
- Have you documented everything you have done and are doing in this respect?
Managing cyber risks and making your cyber liability insurance worthwhile
We can help you implement all the cyber security measures you need to minimise the risk to your business or school. We will evaluate the type of risks and the risk level of your organisation to make sure you have the right level of protection – not too restrictive or expensive, but not too lax either. We can document all your cyber protections for you, in a file you can store in hard copy along with your cyber insurance policy, just in case you need it.
Flywheel IT Services has teams of highly qualified and experienced IT engineers and consultants around the UK.
For over 20 years we have partnered with businesses, schools and major construction companies to provide IT services and to guide and support their IT projects, tech strategies and day-to-day operations.