Cyber Liability Insurance
What is Cyber Liability Insurance?
When a UK-domiciled organisation with a turnover under £20m achieves self-assessed certification covering their whole organisation to Cyber Essentials, they are entitled to Cyber Liability Insurance.
The cover is underwritten by American International Group UK Limited, and administered via Sutcliffe & Co Insurance Brokers.
Please find below a summary of the policy and an FAQ about the insurance.
£25,000 Total limit of indemnity:
24hr helpline to report a cyber incident, which will provide crisis management and incident response to the total liability limit of £25,000.
What’s covered?
Liability: claims made against you arising out of Digital Media Activities and Security and Privacy Liability.
Event Management: The reasonable and necessary fees, costs and expenses of: Legal Expenses; IT Expenses; Data Recovery Expenses; Reputation Protection Expenses; Notification Expenses; Credit Monitoring and ID Monitoring Expenses; and First Response Expenses.
Extortion Threat.
Regulatory Investigations: (defence costs) & regulatory fines (where insurable by law).
Business Interruption: Loss of profit and / or operational expenses caused by a network compromise.
Network Interruption: The reasonable and necessary costs and expenses that a Company incurs to minimise the Network Loss, or reduce the impact of a Material Interruption; provided however that the amount of Network Loss prevented or reduced would be greater than the costs and expenses incurred.
[To the limit of the policy liability]
What’s not covered?
Money stolen by electronic means or cyber fraud.
Retentions apply: see What is not covered? FAQ
The £25,000 limit of indemnity might be sufficient for a small breach or incident but inadequate for a serious problem or more than one incident. Higher limits of indemnity may be available upon request.
Frequently Asked Questions
Do I qualify for the Cyber Insurance?
Organisations that achieve Cyber Essentials certification via The IASME Consortium or any of their approved certification providers will receive Cyber Insurance if they fulfil the following criteria:
• The entire organisation is Certified
• The organisation is domiciled in the UK or Crown Dependencies
• The organisation’s annual turnover is under £20m
• The organisation opts-in to the insurance.
Why do I need Cyber Insurance?
Being compliant to Cyber Essentials has been shown to significantly reduce the likelihood and severity of a data breach. However, some risk still remains, especially if there is human error, a malicious insider or a concerted external attack. The presence of cyber insurance will
provide vital incident response services and cover your costs in your hour of need. The insurance provided with certification gives you £25,000 limit of indemnity so you may want to purchase a higher limit of cover in case you suffer a severe breach.
How do I make a claim? (for Certifications after 01 October 2023)
If you suffer a Breach of Confidential Information or Security Failure you should immediately contact AIG’s First Response Service on +44 (0) 1273 730992 detailing your Cyber Essentials Certificate Number (as detailed in your Evidence of Insurance).
Remember to keep a paper copy of your Evidence of Insurance as you may not be able to access an electronic copy in the event of a data incident.
How do I make a claim? (for Certifications before 01 October 2023)
If you suffer a data breach, hack or other cyber incident you should immediately contact the 24 hour helpline using Axa XL’s 24 hour response hotline on 0800 085 9483. The policy will provide crisis management and incident response services appropriate to your circumstances. Do not delay in reporting the incident as this could jeopardise your claim. Remember to keep a paper copy of your Evidence of Insurance as you may not be able to access an electronic copy in the event of a data incident.
Who is the insurer?
For Certifications after 01 October 2023 the insurance will be provided by American International Group UK Limited.
In the event of a claim they will appoint their specialist consultants to assist and advise you and your IT team.
Who is insured?
The name of the insured is on your Evidence of Insurance and should correspond with the organisation that has successfully been certified.
What is covered and what services are provided?
Your policy provides the following up to a total limit of indemnity of £25,000:
- Liability: claims made against you arising out of Digital Media Activities and Security and Privacy Liability.
- Event Management: The reasonable and necessary fees, costs and expenses of: Legal Expenses; IT Expenses; Data Recovery Expenses; Reputation Protection Expenses; Notification Expenses; Credit Monitoring and ID Monitoring Expenses; and First Response Expenses
- Extortion Threat.
- Regulatory Investigation: (defence costs) and Data Protection Fines: (where insurable at law).
- Network Interruption: The reasonable and necessary costs and expenses that a Company incurs to minimise the Network Loss, or reduce the impact of a Material Interruption; provided however that the amount of Network Loss prevented or reduced would be greater than the costs and expenses incurred.
What is not covered?
There is a £1,000 excess (increasing to £5,000 for claims emanating from activities in the USA or Canada) and a six hour Network Interruption retention. Your policy does not cover you for money that may be stolen via electronic means or cyber fraud. Full details of what is and is not covered can be found in your Policy wording.
What limit of cover is provided?
The insurance provided with certification gives you a £25,000 limit of indemnity. This might be sufficient for a small breach or incident but will be inadequate if you suffer a serious problem or more than one incident.
For wider cover or a higher limit of indemnity, then you will require a more tailored cyber insurance policy. You may want to speak to your broker, or you can get in touch with Sutcliffe & Co. Insurance Brokers who administer the AIG policy. You can email [email protected], call 01905 21681 or visit the website at www.sutcliffeinsurance.co.uk. This also applies if you are not eligible for the automatic insurance, for example if your turnover is more than £20m.
What if I want to increase cover from £25,000?
Many certificate holders take the option of increasing their limit of indemnity to £250,000 for an annual premium of just £224 inc tax. Contact Sutcliffe & Co Insurance Brokers who administer the Cyber Essentials insurance on 01905 21681 or [email protected], call 01905 21681 or visit the website at www.sutcliffeinsurance.co.uk with your certificate details. The annual premium of £224 will be reduced pro-rata if you apply part way through your certificate period. Alternatively if you would like a higher limit or bespoke cover contact Sutcliffe & Co or your own broker and discuss your requirements.
What security precautions must be maintained?
You are required to install & maintain automatically provided updates from your software provider for critical business software. If you have passed Cyber Essentials, this process should already be in place, but you should make sure it is maintained to ensure that the insurance remains valid.
What if I already have Cyber Insurance?
You can’t claim on two policies. If you are satisfied your existing policy gives you the cover you require, then you can opt out of the cover that comes with Cyber Essentials. If you have two policies in force at the time of a claim you will need to notify both insurers.
What if my turnover is more than £20m?
Companies with a turnover above £20m are not eligible for the automatic insurance.
If you want insurance you may speak to your own broker, or you can get in touch with Sutcliffe & Co. Insurance Brokers who administer the AIG policy. You can email [email protected], call 01905 21681 or visit the website at www.sutcliffeinsurance.co.uk.
What if I am not domiciled in the UK?
Only companies domiciled in the UK or Crown Dependencies are eligible for the insurance.
How long does the policy last?
The policy starts from your certification and lasts 12 months; the exact dates will be on the Evidence of Insurance issued with your Cyber Essentials Certificate.
How do I renew the policy?
The policy is connected to your Cyber Essentials Certification and cannot be renewed on its own. To maintain cover, you will need to renew your Certification or take a separate stand-alone cyber insurance policy.
What if I don’t want insurance?
When completing the Cyber Essentials assessment, those eligible for the insurance will be asked to opt-in only if they want the cover. The cost of the Certification remains the same whether or not you opt-in.
What if I have a complaint?
Claims related complaints:
Write to: Head of Financial Lines & Professions Claims Manager, 58 Fenchurch Street, London, EC3M 4AB
Call: +44 (0) 20 7063 5418
Email: [email protected]
All other complaints:
Write to: Customer Relations Team, AIG, The AIG Building, 2–8 Altyre Road, Croydon CR9 2LG
Call: 0800 012 1301
Email: [email protected]
Online: https://www.aig.co.uk/home/contact-aig-uk/complaints-and-feedback
How do I get more information on the Insurance?
Email Sutcliffe & Co. who administer the policy, at [email protected] or call them on 01905 21681.