What is cyber insurance and how much does it cost?

Updated 03 December 2020

6min read

Nick Green

Financial Journalist

Updated 03 December 2020

6min read

Modern business depends fundamentally on technology, which makes the risk and impact of cybercrime higher than at any time in the past. What’s more, this trend is likely to continue – making cybersecurity as essential as simply having locks on your office doors.

Cyber insurance exists to help businesses large and small recover in the event of cyberattack. Standard insurance policies don’t typically cover the loss or damage of digital assets, so this sort of policy will be highly advisable unless your business is one of the diminishing number that uses the internet very little.

Here’s how this kind of insurance works.

What is cyber insurance?

Cyber insurance is a type of business insurance, designed to protect businesses of any size from the financial consequences of attacks on their work computer systems.

Every day, hackers attempt to access business and personal data. According to the 2020 UK Cyber Security Breaches Survey, 46% of businesses suffered a cybersecurity breach or attack in the last 12 months. Of these businesses, one in five lost money or data to the breach, while two in five faced business interruption.

Cyber insurance policies help minimise the financial and business damage of these hacking attempts, covering costs related to data recovery or business disruption. The policies can also protect against non-criminal loss or damage, such as an IT system failure.

How does cyber insurance work?

Let’s say you’re a small business that sells leather goods online. Because customers order and pay for your products via ecommerce, you collect customer data including credit card numbers and billing addresses. A cybercriminal hacks into your system, stealing data from 1,000 customer accounts. They shut down your website and demand a ransom in exchange for the data. You spend the day figuring out what to do.

In this scenario, not only is your customers’ data being held ransom, but your website is down and customer accounts are blocked, so you’re losing business and taking hits to your trust levels. Restoring everything will cost you – and this is where cyber insurance will help.

Like any other insurance, you’ll take out a level of cover appropriate to your business and risk level, pay a monthly premium and claim back in the event of an incident. Sometimes, you may not be aware you’ve been attacked until much later. Fortunately, many insurance providers allow you to claim from the date you discovered the breach, and not just from when it actually happened.

What does cyber insurance cover?

There are two types of cyber insurance. Depending on the type of business you have, you can take out one or both:

• First-party insurance – first-party cyber insurance covers your business’s own assets. This policy pays out for direct and indirect costs if you lose money, data, software, intellectual property or customers to cybercrime – either from the direct attack, or from the business downtime and reputational damage it causes. It can also cover the cost of response efforts, such as setting up an emergency call centre to notify your customers of the breach.
   
• Third-party insurance – also known as cyber liability insurance, this covers the assets of others, e.g. your customers. For example, hackers may steal customer information, damage their data, block their accounts, or tamper with their profiles and websites. Like any liability insurance, third-party policies will cover the costs you’re legally liable to pay, including those related to investigation, legal defence, civil damages and compensation.

If your business doesn’t handle a lot of customer data electronically, third-party insurance might not be necessary for you.

Does cyber insurance cover ransomware?

Ransomware attacks involve a piece of hostile software (‘malware’) that might encrypt your files, lock your computers or otherwise threaten your IT systems, and then demand money from you in order to release your data or equipment. Such incidents are on the rise, so many cyber insurance policies offer cover for them. Cover might be included in your policy, or it might be available as an optional extra. Check with your insurance provider to see what they offer and at what level. Be sure to ask if they cover the full cost of ransom payments (bearing in mind that these might even not be effective but just another scam), system recovery and other indirect costs (such as business disruption and reputation management) related to the incident.

What is not covered by cyber insurance?

Like any insurance, cyber insurance policies have their exclusions. These can differ by provider, but, in general, this insurance does not cover:

• Potential future lost profits – cyber insurance covers money lost during business downtime. However, this doesn’t extend into future lost profits. For example, if your turnover at the end of the year is going to be less than projected because of the data breach, you can’t make a claim for this.
   
• Loss of value due to intellectual property (IP) theft – there are many hidden and indirect costs related to IP theft that are hard to identify and quantify. Losing your IP, for example, can result in lost opportunities, revoked contracts or the devaluation of a trade name. Similar to the above, your insurance won’t cover the costs of these long-term losses.
   
• Betterment costs – after a security breach, businesses often upgrade their technology systems. Although your insurance will help you recover your current systems, it won’t help you improve them.

Do I need cyber insurance?

If your business deals with sensitive customer data, does a lot of business over the internet, and doesn’t have cover from any external cybersecurity providers, cyber insurance is worth investigating.

Businesses with good anti-virus software, or businesses that are small-scale, often think they’re at less risk. It’s true that data protection software is getting more advanced and sophisticated – but so are the cybercriminals. Even with the best defence, no business is fully immune. As for being a small business, it’s worth remembering that size is no obstacle to hackers, when a piece of malware can be multiplied at no extra cost. As larger corporations become harder to target, small businesses may find themselves in the front line of attacks.

A 2018 Hiscox study also found that small businesses face some 65,000 attempted cyberattacks every day. Small businesses are less targeted than medium to large organisations, but more vulnerable to financial collapse from the attack, since they often lack the funds to sufficiently recover.

What are the cybercrimes I need to protect against?

There are four common types of cybercrime that often catch businesses out:

• Phishing – phishing is a type of fraud designed to steal personal information by phone, text or email. Often, attackers disguise themselves as a credible and trustworthy entity (such as your bank) and ask for your PIN, address or password.
   
• Malware – malware often arrives through suspicious emails, files, downloads or links. Once opened, harmful software installs itself in your system, allowing attackers to spy on your activities and steal private data in the background. Attackers might use this information for themselves, or sell it to a third party.
   
• Ransomware – ransomware infects your system and encrypts data, allowing the attacker to hold it ransom and demand a fee to decrypt. According to the UK Cyber Security Breaches Survey, these attacks increased 97 per cent between 2017 and 2019, with the average ransom demand sitting at £837. Paying the money won’t necessarily work, either.
   
• Hacking – unlike the other three, hacking can happen without any action on your part. It involves skilled hackers finding vulnerabilities in your computer system and gaining unauthorised access into it.

How much does cyber insurance cost?

The price of your cyber insurance policy depends on a few key factors, such as your annual turnover, risk level and the amount of cyber security you have in place. Certain industries, like financial services, are bigger targets for cybercrime because of the amount of sensitive data they carry, so these businesses will need more cover.

Where can I buy cyber insurance?

There are lots of cyber insurance providers in the UK, and this is a growth industry. To find the insurer best suited to your needs, first talk to your accountant to work out the level of cover you may need, and also consult with your IT provider. An IFA who specialises in small business advice should also be able to help. The important thing is to be clear about your business’s needs before rushing into any particular policy.

What else can I do to secure my business against cyber criminals?

Cyber insurance offers a safety net, but prevention is always better than cure. Because a company cannot be completely secure from cybercrime, you should focus on being resilient and proactive. Here are a few steps to introduce today:

• Train your staff on cyber threats – help them identify and avoid phishing attacks, scams and suspicious emails.
• Use trusted network and software partners – look for partners that are GDPR compliant and have robust security measures in place.
• Keep your operating system, applications and anti-virus software up to date – run all the regular updates to ensure you have the latest security features. These evolve as the hackers do.
• Control data access – limit who can access and handle sensitive data. Use password-protected accounts and WiFi networks. Encrypt important emails and documents.
• Use penetration testing – companies often employ what are called ‘white-hat’ or ethical hackers – people who deliberately hack into your systems to expose the vulnerabilities, so that you can proactively build better defences against the malicious ones.