How would your customers respond to their data being leaked

As businesses increasingly rely on digital technologies and interconnected systems, we’re likely to see increases in cyber security breaches for SMEs. To date, 51% of SMEs have fallen victim.¹

Cybercriminals are employing more sophisticated tactics than ever to breach security defences and exploit vulnerabilities. This is largely thanks to phishing, ransomware, social engineering – and the emerging risks of AI and deepfakes. Our new cyber glossary outlines the growing list of commonly used cyber terms.

But it’s not just malicious acts perpetrated by cybercriminals that could see this number increase. In fact, a staggering 95% of cyber security breaches result from human error.²  Accidentally sending valuable data to incorrect recipients, accidentally emailing documents with sensitive data, or publishing confidential data on public websites.

The “it’ll never happen to me” attitude is fast becoming outdated. Those still sleeping on cyber risk may need to wake up to the reality that, in this digital era, your business can be targeted from anywhere and at any time.

A successful cyberattack can have catastrophic consequences on your business: financial losses, reputational damage, and legal liabilities.

Understanding your cyber exposures and what cyber means to you is vital. Among the solutions are cyber insurance and compliance with the 12 key cyber controls.

Cyber insurance is absolutely vital. It’s no longer simply nice to have, it’s a must-have. Almost every business depends on technology and if that technology is attacked by criminals, there can be significant financial and operational impacts. Most smaller businesses don’t have the resource needed to prevent an attack or deal with the consequences.  You’ll likely need expertise on call and insurance indemnification to respond effectively.

Here’s everything you need to know about cyber insurance.

What is cyber insurance?

Cyber insurance is designed to protect your business from the overall risks of a cyberattack, data breach, or system failure. If your business experiences a cyber event, your cyber insurance policy will help cover the cost of the damages and your recovery.

Unlike general liability insurance, which primarily covers physical injuries and property damage, cyber insurance specifically addresses the unique risks of cyber events — whether it’s external or internal. It fills the gaps in traditional insurance policies, which often provide limited to no coverage for cyber-related losses.

What does cyber insurance cover?

Cyber insurance policies typically provide coverage for both first-party and third-party expenses incurred in the aftermath of a cyber event (within pre-agreed limits). It also provides coverage for incident response to a cyber event.

Incident response coverage – The insurer will have a panel of third-party experts (law firm, PR specialists, digital forensics, ransomware negotiators) who can be accessed for support 24/7 with the insurer covering the costs. This is crucial for SMEs as they will likely have very limited IT/cyber expertise in-house and the costs of these experts can be a significant proportion of the claim.

First-party coverage – This helps to cover the direct costs your business has to pay during and after a cyber event. These costs can include investigating the incident, notifying affected individuals or customers, providing credit monitoring services, and restoring compromised data or systems. First-party coverage helps your business respond quickly to a cyber event, reducing the impact on your day to day operations and safeguarding your reputation.

Third-party coverage – deals specifically with the legal and financial responsibilities that your business may have after a cyber event. It covers costs such as: legal fees, settlements or judgments from lawsuits filed by affected parties, and regulatory fines and penalties (where insurable by law).

While it is an important part of any business’s risk management strategy, cyber insurance is not a one-size-fits-all solution. The specific coverage and policy terms can vary among insurance providers and may depend on factors such as your business industry, size, and unique risk profile. Therefore, it’s a very good idea to contact a cyber insurance expert to help you evaluate your cyber risk exposure.

What are the benefits of cyber insurance?

Cyber insurance offers several key benefits to businesses that can help them navigate the complex and costly aftermath of a cyberattack.

1. Financial protection – Cyber insurance covers a range of first-party and third-party costs, helping to minimise the financial impact of a cyberattack.
2. Business interruption – Cyber insurance often includes business interruption coverage, which provides compensation for the lost income resulting from a cyber event (depending on limits). It will also cover the increased cost of working such as paying overtime or hiring additional staff. A cyberattack or system failure can be very disruptive to your business operations, often causing serious financial losses due to downtime or impacts on the efficiency of operations such as scheduling, producing documentation, processing payroll, etc. This coverage enables businesses to focus on recovery and get back on their feet as quickly as possible.
3. Reputation management – One of the more significant impacts of a cyberattack is the potential damage to your business’s reputation. Customer trust and brand reputation are important assets that can be severely impacted by a breach. Cyber insurance can provide invaluable assistance in managing and repairing your business’s reputation by providing access to public relations and crisis communication experts. They can provide guidance on effective messaging, ensure transparency, and help rebuild trust with customers, partners, and stakeholders. Insurance can also cover the costs of reputation repair services, such as public relations campaigns and online monitoring tools.
4. Regulatory compliance - As the digital landscape becomes more and more regulated, businesses face many legal obligations regarding data protection and privacy. Cyber insurance can support businesses in meeting these regulatory requirements.Insurance providers can offer resources and guidance to help businesses stay compliant with relevant laws and regulations. This can include access to legal expertise and assistance in understanding and implementing data protection measures.

By investing in cyber insurance and risk management, you can safeguard your business assets, mitigate your financial risks, and maintain your customers’ and stakeholders’ trust and confidence.

Cyber insurance misconceptions

1. It’s just for big businesses
   Cyber criminals target businesses of all sizes.
2. It never pays out
   Most cyber insurance claims you see in the news aren’t actually claims on cyber insurance policies. The truth is, insurers are paying them in accordance with policy wordings. Our colleagues in Marsh discussed this topic with insurers recently. Watch the video here.
3. It’s included in my other business insurance
   Some overlaps exist (as with all lines of insurance), but traditional insurance policies lack the depth and breadth of standalone cyber cover, and won’t come with experienced cyber claims and incident response capabilities.
4. It stops me from getting hacked
   Cyber insurance is not a preventative measure to deter cybercriminals. It’s designed to help you recover with the associated costs and losses after a cyberattack or data breach.
5. It’s not needed as I don’t collect sensitive information
   Any business that relies on a computer system to operate, whether for business-critical activities or simply electronic banking, has a very real cyber exposure.
6. It’s covered by my outsourced IT provider
   The safest approach is to assume that the responsibility lies with you. Even if you outsource your IT, there’s a high chance you’ll still be liable. Assuming you’ll be successful in claiming back damages from a third party is a risky gamble. We always recommend carrying out due diligence on third party providers.

How to choose the right cyber insurance

1. Assessing your cyber risk exposure

Before selecting cyber insurance, you should assess your unique cyber risk exposure. This involves identifying potential vulnerabilities and understanding the likelihood and potential impact of a cyberattack on your day to day operations.

Consider factors like the type and sensitivity of the data you handle (especially personal information and personal health information), your industry, the size of your customer base, and your reliance on technology infrastructure. Conducting a comprehensive risk assessment can help you determine the appropriate level of coverage and policy features your business will need.

2. Understanding policy coverage and exclusions

When evaluating cyber insurance policies, you should carefully review the coverage and exclusions outlined in each policy. It’s essential that you understand the specific protections offered by a policy to ensure it aligns with your business’s unique needs and potential risks.

There are certain key aspects you need to consider, including the following:

• The extent of first-party and third-party coverage the policy provides.
• How much business interruption and reputation management coverage the policy provides.
• The sub-limits and deductibles associated with different types of losses.
• Any limitations or exclusions that may apply.

It’s also important that you’re aware of the circumstances that could cause your coverage to be denied or limited. This may include geopolitical events.

3. Customising coverage

Cyber insurance is not a one-size-fits-all solution. Your business will have its own unique needs and risks requiring customised coverage options.

It’s best to work with insurance providers that offer flexibility in policy customisation. This can include tailoring coverage limits, adding endorsements to address specific risks, or adjusting deductibles to align with the business’s risk tolerance and budget.

It’s crucial that you engage in open and transparent communication with insurance providers before you make your decision. You should discuss your specific needs and make sure you get clarification on policy terms. This helps to make sure that the coverage you’re getting sufficiently addresses your unique cyber risk profile.

12 key cyber controls

With cyber incidents on the rise, insurers are becoming more cautious, tightening underwriting terms and asking more questions about businesses’ cyber operating environment. For many insurers, businesses now have to adopt certain risk controls as a minimum requirement for insurability, including:

• Multifactor authentication (MFA)
• Email and website filtering
• Secured, encrypted, and tested backups
• Incident response plans
• Cybersecurity awareness training
• Replacement or protection of end-of-life (EOL) systems

Find out here which cybersecurity controls you should adopt

How we can help

Navigate the complex and ever-changing cyber landscape with confidence by speaking to our team of cyber insurance experts. They can help you get back to focusing on your thriving business while knowing you have a robust safety net in place.