Cyber threats are one of the principal risks facing UK businesses, with 81% of large businesses and 60% of small businesses suffering a cyber security breach last year (according to a survey released by the Department for Business Innovation and Skills, available here). However, many business leaders are largely unaware that cyber risks can be insured and underestimate the extent of their existing cover, according to the Cabinet Office’s March 2015 paper on “UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk”.

The term ‘cyber threat’ covers a broad range of risks - both accidental and malicious - ranging from the cost of reconstituting data and software lost as a result of deletion or corruption, cyber crime (eg direct financial losses caused by IT fraud or theft), business interruption (eg loss of profits due to systems going down), cyber extortion, the cost of responding to a privacy breach event (eg a data protection breach), reputational damage and the significant costs of investigating and responding to any cyber incidents. 

Many CEOs overestimate the extent of their existing cover for these cyber risks. 52% believed they were covered under existing policies when in fact, statistics from surveys commissioned by insurers Marsh and Zurich, show that less than 10% actually were. We expect that this misunderstanding stems from the fact that traditional insurance policies providing cover for commercial general liability, property and business interruption often contain significant exclusions for cyber attacks and damage to intangible property such as software and data, leaving businesses exposed. 

Getting to grips with risk

The Cabinet Office’s paper seeks to assist businesses in plugging this gap. 

Recent Government research found that 22% of small businesses admitted they simply “don’t know where to start” with cyber security and larger firms had still not fully addressed risks such as their exposure from third party suppliers (eg cloud computing providers). 

The Government recommends that considering cyber risk insurance cover should go hand-in-hand with internal steps to address risk, for example:

  • A risk governance structure (such as a board risk committee and risk officer) which operates independently of executive management;

  • A comprehensive recovery plan covering financial, operational and reputational functions; and

  • Stress-testing the organisation’s financial resilience to possible threats.

The Government’s new Cyber Essentials industry-backed scheme provides initial guidance to businesses on how to put in place adequate security controls and builds on existing Government guidance for small and large businesses. Insurers operating in the SME sector have agreed to incorporate compliance with the Cyber Essentials standards into applications for insurance, with a view to opening up the market to SMEs. 

Consider cyber risk insurance 

Businesses should review existing insurance policies to establish the extent of cover for cyber risk and consider obtaining either a standalone or bolt-on cyber risk policy. To maximise the chances of achieving the right level of cover:

  • Choose a reputable broker and consider asking the broker to provide a formal statement on the level of existing and potential cyber cover to the board;

  • Conduct an assessment of the specific risks faced by your business and shop around for appropriate cover – cover for expenses arising from data protection breaches and data loss and software damage is usually offered but cover for reputational damage is less common and cover for direct losses arising from intellectual property theft (which is hard to quantify) may not be obtainable;

  • Establish the amount of cover required and what caps are acceptable by trying to quantify the possible costs of potential breaches eg of network business interruption or the investigation and regulatory responses in relation to cyber attacks;

  • Find out what level of due diligence the policy requires and ensure the standard is met - some policies may not cover losses due to breaches occurring before the insurance was purchased and due diligence enquiries might identify cyber attackers already operating within an organisation;

  • Look for cover for the costs of notifying third parties potentially affected by data breaches but be aware that many policies place limits on the number of individuals that can be notified and the methods of notification. Cover for the public relations outfall from data breach scenarios is also desirable;

  • Ask whether the trigger for cover is an event which results in the loss of data or a claim arising from that event which is made against the insured and notified to the insurer during the policy period. Policies which cover only claims made against the insured tend to be more restrictive in scope so it may be worth paying more for a policy in which cover is triggered by the event and subsequent loss;

  • Establish the territorial scope of the policy – many cyber risk insurance policies restrict cover to the UK and this may not be sufficient if employees frequently travel abroad with laptops and PDAs holding confidential information, which could be lost or stolen;

  • Find out whether unencrypted devices are covered by the policy, if these are used by staff; and

  • Consider what exclusions apply – the cyber insurance market is still in its infancy so terms are not yet standardised and it is unclear how far insurers may seek to rely on exclusions (for instance, to rely on an exclusion for acts of terrorism or war in the event of an attack by a foreign nation). If in doubt, seek advice from your legal team.