Any modern business relies on information technology to some degree. This may range from something as simple as credit card processing to more involved things such as managing healthcare analytics for millions of customers. If that information is vulnerable to attacks, it presents a tempting target for cybercriminals, leaving the business open to significant risk.
Despite the obvious dangers, many business owners aren’t too keen on purchasing cyber insurance. Some don’t think their business needs it, and others don’t even know what it covers. Below is a breakdown of why cyber insurance may be a good idea for your business.
What Is Cyber Insurance?
The name gives away a lot of the meaning, but some specifics are important to note. Cyber insurance is a type of liability protection from threats such as data breaches, hacks, and other cybercrimes. The loss or damage of information affects every business differently, but it’s never a trivial matter, as it exposes weaknesses in the operational process.
Cyber insurance typically covers first- and third-party financial liabilities and reputational damages in the event of a data breach through computational systems. Now, there’s a lot to parse in that sentence. The first party, in this case, is the business involved in the breach, and insurance coverage usually extends to any loss of digital assets, cessation of business activities as a result of the breach, customer notification expenses, reputational damage to the business as a result of the breach, and other potential damage as outlined in the policy.
The third parties are those affected by the breach outside the business. This typically refers to clients of the business whose data is compromised. Coverage in this case typically involves investigative and legal defence costs, as well as civil damages resulting from the breach, investigation and defence costs of breaches of client privacy, and the loss of third-party data including loss of access for customers.
Even in organisations that employ individuals dedicated to cyber security matters found that those employees weren’t all that clear about what the insurance covers. But many still agreed to take the insurance for peace of mind on the recommendation of insurance agents.
Cyber Insurance by Numbers
Cybercrime is growing quickly, but the impact isn’t fully appreciated by businesses as, according to government data, only 11% in the UK have cyber insurance. The average cost of cybercrime around the world has grown into the millions per occurrence, and the number of significant breaches grew by over 10% in 2018. These numbers, although alarming, aren’t enough to convince many organisations since the number with cyber insurance who’ve made an insurance claim remains relatively low. Some of the most common reasons stated in surveys for organisations that refuse to purchase the insurance relate to a lack of information.
- Around a quarter of both businesses and charities surveyed reported that they’re already covered by their third-party cyber security providers.
- 23% of businesses and 15% of charities reported a general lack of awareness of cybercrime as the reason for not taking out insurance.
- The most salient reason turned out to be the perception of not being at risk for cybercrime. Close to a third of charities and around a fifth of businesses considered themselves to be at low risk.
The numbers aren’t encouraging, but if current trends in cybercrime continue it may lead many organisations to reconsider their choice to opt-out. Even as early as 2014, government data showed that most small and large businesses had suffered some sort of data breach during the reporting period.
Cybercrime Management and Risk Assessment
As more insurance companies are starting to prioritise prevention as much or more than loss coverage, businesses are encouraged to implement good cyber “hygiene” to reduce risks. This involves looking into potential first- and third-party risks within the business networks and analysing the potential events that could make those risks materialise as liabilities. Learning about and improving cybersecurity practices is part of a wider push by governments and insurance companies everywhere. Basic security standards were released in 2014 by the government in the form of Cyber Essentials, along with accreditation in those standards.
Furthermore, incident response schemes and a cybercrime unit in the National Crime Agency are signs that the threat from cybercrime is a growing one that deserves special attention.
Better Cyber-Safe than Sorry
It’s unlikely that the persistent rise in cybercrime is going to slow down anytime soon as more organisations are generating and storing data that’s increasingly sensitive. Sadly, the potential for harm grows exponentially, but cyber insurance policies are also likely to adapt proportionally and good options for coverage will mitigate some of the damage.
Even if cyber insurance isn’t for you, there is now widespread information available on the damage cyber attacks can cause – and the preventative actions you can take – to give you confidence to self-insure instead. And if you do have cyber cover, check that you are complying with the policy terms; for example if you are not backing up files at least weekly, the policy may not pay out!.
Author’s Bio: John is an actuary and owner and Director of HJC Actuarial, which he founded in 2003 and which has advised over 100 clients since it’s’ inception. He has worked in the insurance industry for 30 years, qualifying as an actuary in 1995 and becoming a Partner in a major global consulting firm in 2000. Since 2003 he has provided independent advice to his clients on optimal insurance program design, presentation of risks, and premium negotiation with insurers, insurer solvency assessments, policy wordings, insurer selection, and insurance broker selection.