What is cyber insurance?

Right now, almost every business relies on digital technology in some shape or form. But whether it’s using software, selling your products online or simply storing data in a spreadsheet, these systems and networks can also make your business vulnerable too.

In the same way that your home could be burgled or flooded, sole traders and businesses of all sizes are at risk of a range of cyber attacks and other related issues. Cyber insurance can help, not just by allowing you to recover from an incident, but also by covering the costs of restoring your reputation and defending your business if it’s sued.

Cyber attacks are an ever-present threat to businesses all over the world, with 39 per cent of UK companies identifying a cyber attack against them in 2021. If the worst happens, the right cyber insurance coverage can provide the financial protection to help your business get back on track.

How does cyber insurance work?

Let’s say you run an accounting firm. If one of your employees accidentally clicks on a suspicious link and that link contains ransomware, all of your systems could be blocked until a ransom is paid. In one fell swoop, your practice would compromise clients’ financial data, damage its credibility and be prevented from delivering its services until the block is lifted.

If your business is covered by cyber insurance, your claim might involve paying the hackers, hiring a PR agency to improve your practice’s reputation and compensating for lost income while your network was down. If your firm faces legal action, you could claim for that too, depending on what type of coverage you have.

43% of employees say they’ve made a mistake at work that has compromised cyber security. And these mistakes don’t just relate to attacks from criminals: they can include things like leaving a laptop on a train or documents on a park bench; even handing the wrong hard drive to a courier. If those items contain sensitive information, then losing them can be just as damaging as a cyber attack.

Cyber insurance is like other types of insurance, in that it’s designed to protect against an incident and cover costs your business wouldn’t be able to afford on its own. Businesses can use cyber cover to pay for the fallout from a data breach, which involves notifying customers, investigating what’s happened, recovering what they’ve lost and compensating for a period without trading. But cyber security incidents can be the result of a simple but far-reaching instance of human error too.

What does cyber insurance cover?

According to Hiscox, an insurance provider, the median cost of a cyber attack is now almost £15,000. But the money involved in dealing with a cyber crime or incident can add up very quickly, reaching into the hundreds of thousands and millions for bigger organisations.

One reason cyber insurance claims reach such high figures is that there’s two types of coverage, which both have a lot of moving parts: “first party” coverage and “third party” coverage. First party coverage relates to your business and all the various costs involved in remedying what’s happened, which as we’ve seen could mean anything from ransom payments to PR activity to customer comms.

Third party coverage is more about your customers, specifically the costs of legal claims they might make against you, such as damages, settlements and your legal defence if it goes to court. If your business doesn’t look after a lot of customer data, then you may not need third-party cyber insurance.

What isn’t covered by cyber insurance?

Cyber insurance policies usually cover quite a few different eventualities, but that doesn’t mean they cover everything. Intellectual property theft as a result of cyber crime, which can do serious harm to your brand and lose your business a lot of money, won’t always be covered, for instance. Still, you can get this type of coverage separately, with business intellectual property insurance.

It’s always worth paying close attention to your policy, as sometimes fairly common incidents aren’t covered, like money lost through business email compromise fraud, where scammers send fake emails asking for money or sensitive information and link to bad websites. The same goes for the cost of improving your systems and introducing new measures after an attack, like training employees to identify common attacks. Your policy will usually cover the immediate aftermath of an incident, but it’ll probably stop there.  

What types of businesses need cyber insurance?

If you store important data online or on computers, you may need cyber insurance. That’s because almost every type of business holds personal information about its employees, like names, passwords, phone numbers and email addresses, which hackers can use for identity theft and sell to other criminals. The same goes for billing info and credit card details, which can be used for fraudulent purchases.

Still, different types of businesses need different types of coverage, usually depending on what kind of data they hold. With first party coverage, you’ll probably be insured against ransomware attacks, which the UK’s National Cyber Security Centre says is the most significant cyber threat facing the country. With this type of coverage, your insurer can step in to cover the costs of the ransom, subject to your claim being approved and the limits of your policy.

If your company doesn’t just store information about staff, but information about customers too, then it’s worth looking into third party coverage. The difference with this type of insurance is that it covers legal fees, in the event customers sue because of a data breach on your watch, for example. This type of insurance can also cover fines, which can be useful if you have a particularly large customer base or operate in specific sectors where regulatory oversight is more likely.

How much does cyber insurance cost?

As with any insurance, cyber insurers will look at what industry sector you’re in and how much money your business makes, to measure the level of risk. Businesses in the finance and healthcare spaces, for example, may hold more personal data and require a higher level of coverage as a result.

But cyber insurance can be more specific too, in that insurers will also look at what type of data you hold and how secure your business is. If your organisation has already completed a government-backed certification like Cyber Essentials, which protects you against the most common threats and shows you’re serious about cyber security, you may be able to get a better deal.

How much cyber insurance coverage do I need?

If you’re able to map out the financial impact of a major cyber attack, by looking at how much it would cost to notify customers, get your services back online and restore your reputation, you may be able to get a sense. But there are a huge amount of variables to consider. You’re probably better off speaking to a broker or an insurer directly, who can provide a personalised quote based on your business.

Cyber insurance is a complicated space, that requires a lot of careful consideration from you and your insurer. But it’s likely to be worth your while, since almost every business is vulnerable to attacks and cyber security-related issues. By insuring against the fallout of an incident, you can focus on running your business and put your mind at ease.

See also: What insurance do you need for a small business? – A look at all the types of insurance relevant to small business owners

Avatar photo

Isaac Rangaswami

Isaac Rangaswami is a freelance writer specialising in accounting, technology and small business finance.