A history of cyber insurance

It seems that hardly a week goes by without some report of a cyber-attack or breach being reported in the media. These are usually only the high profile cases that we hear of too.

Did you know four in ten businesses (39%) reported having cyber security breaches or attacks in the last twelve months?¹ And this figure is higher at 65% among medium-sized businesses (50 to 249 employees) and 64% amongst large-sized business (250 employees or more).¹

Businesses are facing threats such as extortion, electronic compromise or social engineering attacks to name but a few. And a huge 89% of businesses are potentially unprotected against cyber-attacks.² Robert Morris, Account Director at Marsh Commercial, explores the history of cyber insurance and provides expert insight as to whether your current cover may be leaving your business exposed.

History of cyber insurance

Is cyber insurance covered under your general insurance policy?

When a cyber event occurs, businesses without a bespoke policy may look to test whether any of their traditional insurance policies might provide cover.

Many different traditional insurance policies have tried addressing cyber risks; be it property, liability, professional indemnity, directors and officers or a traditional crime policy to name some, with various “cyber bolt-on” covers being added to these policies. This, along with the lack of any specific cyber exclusion clauses has raised false expectations that some coverage may apply.

However, in many cases traditional policies will not specifically refer to cyber and insurers could theoretically refuse to pay claims for cyber losses in certain circumstances. If you have not already done so, 2021 should be the year that you seriously consider investing in a specialist standalone cyber insurance policy. If you’re worried about your current cyber liability insurance coverage contact your insurance broker.

What does specialist cyber security insurance cover?

Today, there are many insurance companies offering bespoke cyber insurance policies. The coverage under the policies does of course vary per provider but in general terms the policies are there to protect businesses against; the loss, theft or destruction of a company’s digital assets or funds. The main 1st party cyber covers provided under a policy are:

• Incident response – this will generally pick up all of the costs involved in responding to a cyber incident, including IT security and forensic specialist support, gaining legal advice in relation to breaches of data security, and the cost associated with having to notify any individuals that have had their data stolen.
• Cyber extortion – this covers costs incurred in responding to fraudsters attempting to extort money by either threatening to carry out a cyber-attack or by threatening to expose or destroy data after having already compromised the firm’s network. This can also include ransomware, where the firm’s data has been encrypted and can only be made accessible again by the payment of a ransom demand to the attacker.
• System damage – this covers the costs for data and applications to be repaired and restored in the event that a computer system is damaged as a result of a cyber event.
• System business interruption – this cover aims to reimburse the lost income and increased costs incurred as a result of interruption to a business’s operations as a result of an attack. It is similar to a traditional business interruption insurance policy, however with the trigger being a non-physical event.
• Financial loss – refers to attacks that involve theft of funds from a firm such as social engineering, false invoices, electronic compromise and also extortion as per above.
• Network security and privacy liability – being traditional 3rd party covers for transmission of a virus to a client’s systems or failing to prevent an individual’s data from being breached.

Help to protect your business from cyber crime

Cyber insurance cannot and should not be seen as a replacement for a properly developed cyber security program. While a cyber liability insurance policy will serve you best in dealing with the many cyber exposures that exist today and in the future. It should complement your own cyber security efforts. Consider:

1. Cyber security training

Run phishing email campaigns to help employees recognise phishing attacks. Start by completing our interactive “how to spot a phishing email test”. Be sure to circulate to your employees.

2. Multi-factor authentication

Any remote connection to the network or business applications, require a password as well as a second factor – typically a security code. This makes it more difficult for attackers to gain unauthorised access.

3. Lock down remote desktop ports (RDPs)

Close down RDPs, or if that’s not possible, enable multi-factor authentication on the port. Change the RDP from the default port and use a strong password.

Identifying flaws before an attacker can find them is critical. Remember, if you’re unsure about the level of cyber cover in your current insurance programme, contact your insurance broker. If you wish to discuss any of the points raised in this article, be sure to contact Robert.

^Sources: 

 ^{1. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2021/cyber-security-breaches-survey-2021}

 ^{2. https://www.abi.org.uk/news/news-articles/2019/08/cyber-insurance-payout-rates-at-99-but-uptake-still-far-too-low/}

 ^{3. https://www.marsh.com/uk/insights/research/silent-cyber-how-you-can-cover-perils.html}