Duncan Sutcliffe knows a thing or two about cyber insurance, his company Sutcliffe and Co Insurance brokers has been insuring companies against the eventuality of a cyber attack for over a decade. Sutcliffe and Co are also behind the £25,000 worth of cyber insurance included with Cyber Essentials. We asked Duncan to give us the lowdown on cyber insurance for businesses.
Will my professional indemnity insurance cover data breaches?
Professional indemnity insurance is designed to cover you for errors, omissions and negligence in your professional service. For example, an accountant might forget to send a client’s tax return in on time or fill it out incompletely. Some professional indemnity, as part of the errors, omissions and negligence, includes some cover for third party loss of data, which means it would cover mistakes which involved losing customer data or sending data to the wrong person. This third party cover is likely to be very limited and it is usually necessary to have the additional cover of cyber insurance which is far more comprehensive when it comes to a data incident and includes both third and the first party cover.
In recent years, insurers have been told by the regulator to make it clear whether cyber is, or is not covered in policies. If it is covered, it has to be made very clear what it is restricted to, and in many cases, insurers are explicitly saying that there is no cyber cover. Certainly for professionals who deal with financial transactions and hold a great deal of sensitive data, it is quite common to have an endorsement saying this policy no longer gives you cover for cyber. Insurers want to remove that cover because professional indemnity insurance was never designed to cover cyber risk. It was there to cover professional mistakes, not for the increasing tide of data breach claims. In a nutshell, your professional indemnity gives very limited cover or indeed no longer covers you for cyber incidents and you need a separate cyber insurance policy.
What is cyber insurance?
Cyber insurance is there to cover an organisation in the event of an accidental or malicious data breach or data incident. Sutcliffe and Co have seen claims for all kinds of incidents, malicious or accidental, ranging from viruses to misdirected emails.
What does cyber insurance cover?
A basic cyber insurance policy will cover the technical incident response costs and the legal, regulatory and crisis management costs. This can be compared to an emergency response service. A more comprehensive cyber insurance policy might cover more. Depending on the size of the cyber attack, and the amount of cover you have on your insurance, the policy could pay fines and penalties where legally permissible. It can also cover lost income where the incident stops you trading or causes a downturn in revenue. In the event of ransomware, a policy would help with restoring systems and data.
Cyber insurance is included as part of Cyber Essentials for UK based organisations that certify as a whole organisation with a turnover of less than 20 million. This cover gives up to £25,000 worth of liability.
In the event of a breach, the policy holder would immediately be able to ring an emergency helpline. They would then receive the services of a cyber incident response team whose job is to find the problem, stop the problem, and restore their systems and data. They would also receive help from a legal team who would deal with any litigation and regulation issues. This could be anything from a breach of the Data Protection Act, to a breach of contract. Crisis management and PR support would assist them with communications and that might include support to notify data subjects. An example might be the discovery of a data breach that may have compromised clients. The insurance would close the breach, assess the extent of the breach and then notify the clients and the information commissioner. It will then deal with any regulatory and legislative issues. The crisis management team would help minimise any reputational damage.
The Information Commissioner has said that if you suspect you’ve had a data incident you must report it within 72 hours. When you do report it, you’ve got to tell them what’s happened, what you’re doing about it, who may be affected and the scale of it. This can be really difficult. But if you’ve got cyber insurance, you can very quickly have forensic and legal people there who will be able to put together a presentation for the Information Commissioner, telling them who’s affected and what you’re doing about it. The Information Commissioner has also said that in regard to punishments, their view will be strongly influenced by how you respond to an incident, they have also said that if you have Cyber Essentials certification, your punishment will be reduced.
Are trusted advisors, such as accountants, lawyers and bank managers responsible for advising their clients about cyber risk?
Professionals have to be careful that they don’t stray into areas outside their expertise or qualification. But they are allowed to give a degree of generic advice about relevant subjects. Certainly many businesses are very reliant on a CRM and accounting systems for their trade so it’s important that the IT system is robust and efficient and communicates with the accountants as well as the business and other parties securely. If the system fails or is breached, there is the risk that many businesses would cease trading.
Will it make a difference to my insurance if I have a cyber security certification?
Many professional indemnity proposal forms or application forms now have questions about cyber; they might have an additional questionnaire that comes with it. If the insurer is concerned that risk is too high, they might impose an endorsement on a policy excluding cyber. However, if an applicant can prove that they are lower risk due to a cyber security certification such as Cyber Essentials, that’s instantly answering a lot of questions and providing a lot of reassurance. So in this example, the applicant might be able to keep some cyber cover, or if not, it might enable them to get cyber insurance at a cheaper rate.
When an organisation applies for cyber insurance, do they have to prove they have mitigated risk?
Anyone who wants to buy cyber insurance has to prove a certain degree of cybersecurity in the same way that with your house insurance, you have to confirm that you not only have a front door, but that door has a certain standard of lock on it. As with home insurance, if you don’t have many valuables, insurers will be happy with a standard five lever mortice deadlock. But if you live in a palace with lots of possessions, then insurers might insist upon an alarm and CCTV. To determine the risk, cyber insurers will take a look at your size and sector of business, your existing security levels, and the amount of data you keep. Insurers like to see firewalls, virus protection, multi-factor authentication and software patching – achieving Cyber Essentials certification ticks most of the boxes that insurance companies expect. They also like a robust backup procedure and regular staff cyber security awareness training.
How much could a cyber attack cost?
Cyber claims come in all shapes and sizes ranging from the inconvenient to the catastrophic and are just as likely to impact sole traders as global firms – the difference being global firms have well resourced defences. A recent case that Sutcliffe and Co have seen, involved a small accountancy firm where an infected spreadsheet attached to an email contained malicious software called a ‘keylogger’ . This enabled the criminals to watch every keystroke, giving them important information including passwords for online banking and other websites. The breach was quickly spotted but the incident ended up costing £180,000.
For a small organisation, that’s any organisation with less than 50 employees, a small breach tends to come in at between £10,000- £30,000. A large breach for a small organisation tends to come in at between £60,000 and £80,000, but there have been some huge cases recently. Some of the most expensive breaches recently have involved ransomware.
The free cyber insurance included in Cyber Essentials would usually cover the costs for a small breach and certainly cover the essential emergency assistance for a breach. A large breach can cost astronomical amounts and any company can upgrade their insurance cover to higher limits of indemnity. Most insurance companies will take into account if a business has certified to Cyber Essentials because Cyber Essentials is shown to reduce the risk of a cyber breach by at least 80%.