There was an interesting bit of research reported recently by the SC UK Magazine. The independent Corporate Executive Programme (CEP) has recently carried out a study into US/UK companies and their attitudes towards cyber-insurance.
The results are really thought-provoking.
A quarter of all total respondents said that their company had had a “business impacting” cyber breach in the last 12 months, and out of that result, only 30% of those companies had existing cyber insurance.
Out of all the companies that actually had cyber insurance, only half checked through the supply chain to confirm that suppliers also had adequate cover.
As to be expected, due to the stricter breach penalties in the States, more businesses in the US have cyber-insurance cover than the UK. Cyber security or liability insurance has been available for some time, but the take up in the UK, and indeed in Europe has been slow. The UK Information Commissioner’s Office (ICO) can currently penalize data breach firms with a fine of up to £500,000 but the adoption of the pending EU data breach and cyber breach notification rules could become the incentive for more to consider cyber insurance in the near future.
Worrying, most CISOs reported that they did “not have the knowledge of the types of dedicated cyber-insurance products available to their company”. The report also details that CISOs are not always involved in the final decision when purchasing cyber insurance cover – a baffling trend, as they are surely the best people to understand the level of risk and type of cover needed?
It seems yet again, that the level of companywide protection depends on board and management “buy-in” to the risks of a possible cyber-attack. Having a CEO who understands the current cyber security risks in today’s economic climate, can be crucial in determining the right budget and amount of resource needed in ensuring a sensible level of protection.
The threat of cyberattacks to your business continuity.
In 2012 insurance giants Chubb carried out a survey with the following result – 69% of businesses stated that their concern about cyber risk had increased over the past 12 months, whilst only 21% had actually purchased cyber insurance cover. The more you delve for statistics on the matter the more it seems the common theme is not loss from fire or flood but data loss and fraud.
Be careful – many insurers deliberately remove protection from cyberattacks from their business policies.
Most commercial insurance policies will include some extensions for the reinstatement of data (which protects a business if a fire destroys computer records). However a common “E-risk” exclusion in these policies is damage by error or intrusion such as a hacking attack.
The wording of a typical ‘E-Risk’ exclusion is as follows “excluding Loss or Destruction caused directly or indirectly by operator error, virus or similar mechanism, hacking, malicious persons or failure of external works”.
Sometimes, even if you find these included in the main wording of your policy you will likely find these all an exclusion under the terrorism section.
With huge increased threat of hacking and cyber vandalism by terrorist and fundamentalist groups (including industrial terrorism) it is no surprise that insurers are responding by excluding this from front line cover.
It wouldn’t be unreasonable to assume greater threat from cyber-crime / fraud than physical theft or malicious damage.
How can you protect your business?
Cyber protection policies are available in isolation and can often be written to your specific needs. Our recommendation would be to encompass the cyber risk within a wider ‘crime insurance’ policy where other acts of fraud can be insured. This is particularly pertinent if you have employees, engage with suppliers or services on a regular basis.
The insurance industry is often accused of not being innovative enough but I would say that it is hard to predict the next trend of risk to the extent you could adequately produce, test and evaluate a product.
The creeping threat of cyber-crime and the ease at which fraud can be committed with basic electronic knowledge means that insurers have now some solid case studies and a real idea of the risks. Accordingly more insurers are coming to market with crime policies. Whilst at present this is being driven by giants such as Aviva, AIG, Chubb, QBE and the like we can foresee that more insurers will soon market a product or they risk being left behind by an increasingly changing world.
Cyber insurance is not difficult to arrange unless you have an extremely complex business model (in which case it just means a bit more of an in-depth presentation to insurers) and an indication can be obtained with a few relatively simple pieces of information – Company Name, Address, Annual Turnover, Number of Employees, Trade Description.
Cyber insurance is a must. If you were attacked and you had no access to any of your company data, or your bank accounts would you able to continue trading? Or, do you know for certain that your current insurance arrangements would offer full protection?
Written by Tim Holman CEO of 2-sec and Alastair Campbell-Grieve, Cyber Insurance Expert, Fairweather Insurance Limited
For more information on how to manage your company’s cyber security, please contact Tim Holman, CEO at 2-sec on 0844 502 2066 or email contact@2-sec.com
If you’d like to know more about cyber insurance cover, how it might protect your business or for a quotation please contact cyber insurance expert Alastair Campbell-Grieve at Fairweather Insurance on 01753 882222 or email acampbell-grieve@fairweatherinsurance.co.uk