Cyber risk is the risk of financial loss, disruption, or damage to reputation as a result of  breaches of data security, including unauthorised disclosure of data, and compromise or failures of IT systems.  Specific examples include: loss resulting from security breaches where sensitive information (e.g. customer or employee bank details) is stolen or inadvertently disclosed;  loss resulting from theft or loss of digital assets, e.g. customer lists and business trade secrets; business interruption due to a virus shutting down a network; and costs associated with damage to data records caused by a hacker. The cyber threats facing businesses are more sophisticated than ever. Data and IT systems are crucial to the effective operation of most businesses. Cyber liability is not an IT risk it is a strategic business risk. 

All types and sizes of organisations are at risk. Cases of large-scale data breaches are well-publicised. However, it is not just the organisations which make the headlines that are at risk.  Virtually every business relies on IT infrastructure and, as such, will be exposed to the risks of business interruption, income loss and reputational damage if IT equipment or systems fail or are interrupted, or if data is lost or misused. In addition to business interruption and reputational damage, a business is also at risk of claims for compensation from third parties, e.g. employees or customers, in the event of data breaches; criminal and civil penalties; and investigation costs. 

The difficulty facing businesses however is that usual insurance policies that a business maintains would not respond in the event that data is lost or stolen – the insurance would not cover the costs of restoring the data, the costs of any reputational damage and claims from third parties. Traditional business interruption insurance would not cover losses suffered if an IT system fails as a result of a virus or other cyber attack. 

Managing cyber risks through insurance is relatively new and many businesses do not realise that they may not have insurance cover for these risks, and may only realise when it is too late. It is, therefore, important for business to recognise that they may not have cover for these risks but that cover is available. 

Insurance cover for cyber risks is best achieved by way of a specialised cyber liability policy, although insurers may provide cyber cover by extensions to liability policies. Cyber risks fall into direct losses to the business and liability to third party claims. Cyber risk insurance can cover either or both of these types of risk.

Cover in relation to direct losses to the business may include:

  • Computer restoration and data recovery
  • Business interruption from systems failures
  • Reputational damage arising from a breach of data that results in loss of intellectual property or customers
  • Theft of money or digital assets through theft of equipment or electronic theft

Cover in relation to claims by third parties, typically customers, may include: 

  • The investigation, defence costs and civil damages associated with security and privacy breaches
  • Customer notification expenses when there is a legal or regulatory requirement to notify them of a security or privacy breach
  • Multi-media liability, including investigation costs, defence costs and damages arising from defamation, breach of privacy or negligence in publication in electronic or print media

Cover is usually available in relation to assistance with and management of the incident, which can be essential when faced with reputational damage or regulatory enforcement. 

Businesses should spend time evaluating the potential risks it faces in relation to the IT and network systems it uses. It should then, with the assistance of its insurance brokers, establish what cover it has in place in relation to these potential risks and, in conjuncture with its insurance brokers and insurance lawyers, ensure that so far as possible it has the necessary insurance for the cyber risks. 

A failure to ensure insurance protection is in place for the cyber risks could prove very costly in the long run.