Cyber Insurance – Legal basics you need to know to protect your business

Cyber Insurance – Legal basics you need to know to protect your business

Summary:

  1. What is Cyber Insurance?
  2. Why do I need Cyber Insurance?
  3. Stats on Cyber Attacks in the UK
  4. Am I covered for a Cyber Event or Cyber Incident?
  5. How Fletcher Day can Help

1. What is Cyber Insurance?

Cyber insurance is a special type of insurance designed to protect individuals and businesses from internet and cyber (or digital) risks. Cyber risks include risks relating to:

  • Information privacy
  • Information technology (IT) infrastructure
  • Information governance 

Cyber risks are not usually covered under most standard commercial risks and general insurance policies, so whatever industry you’re in (it doesn’t just effect and impact digital, tech or online only businesses), it’s worth researching and considering your options in relation to cyber insurance cover.

The most common type of cover is what is known as ‘First Party’ cyber insurance, which covers loss and damage to your business due to:

  • Hacking
  • Theft
  • Data destruction
  • Extortion (ransomware)

The second type of cover is known as ‘Third Party’ or ‘Liability’ cyber insurance, which covers loss and damage to other parties due to:

  • Errors
  • Omissions
  • Defamation
  • Failure to safeguard Personal Data or Commercially Sensitive Information

Third Party cover usually incorporates a number of additional benefits which can include:

  • Regular security audits
  • After incident public relations management 
  • Investigative expenses
  • Criminal reward funds

2. Why do I need Cyber Insurance?

To protect your business in the event of a cyber threat or cyber incident caused by malware or ransomware directed towards your operations.  As the world becomes more digital by the day, many of our clients are experiencing an increase in the number and frequency of cyber risks, cyber incidents and cyber attacks.  With such threats continuing to advance and become more sophisticated, many businesses across all sectors are choosing to buy cyber insurance products that are often offered with IT security services to protect their day-to-day business interests.

Our clients need to ask themselves, what would happen if your computing systems, company servers, accounting software, stock and product management software, customer databases and/or supply chain management records and systems were suddenly taken out of use or compromised in someway that prevented you from doing business for more than 24 hours.

Your current insurance may cover certain issues related to cyber risks, but it’s probably not comprehensive. Even though many insurance companies are enhancing their coverage to include cyber events, if you want to be completely covered for anything related to cyber, it’s wise to purchase cyber insurance specifically. 

Cyber insurance is important because it not only covers your business, but it also helps your customers and clients. Cyber insurance adheres to regulations that require businesses to notify their clients in the event of a data breach involving personal information. In addition, cyber insurance policies can provide compensation for legal fees.

Cyber insurance has many benefits including the protection it offers for large security breaches, the recovery it provides for major losses, and the service it administers to businesses to help them return to normal after a cyber event. Cyber insurance takes pressure off the government to provide aid for businesses who suffer from a cybercrime. 

Cyber insurance also brings an element of fairness to the table. The cost of premiums are balanced with the size of expected losses. A huge company that is more at risk for a cyber attack will pay a higher premium than an owner of a small tech platform who is just getting up and running, for example.

You may not have the business interruption and response management cover you think you have in the event of a large-scale cyber incident or attack. This is something that you will need to check very carefully and possibly take specialist insurance law advice on.

3. Stats on Cyber Attacks in the UK

One Small & Medium Enterprise (‘SME’) in the UK is successfully hacked every 19 seconds, according to Hiscox. There are around 65,000 attempts to hack SMEs in the UK everyday and about 4,500 of these hacks are successful. This means that cyber threats and cyber attacks affect 1.6 million of the 5.7 million SMEs in the UK each year.

The Cyber Security Breaches Survey conducted a study of UK businesses and the cyber security issues they encounter. Nearly 50% of businesses and around 25% of charities have reported cyber breaches or cyber attacks in the last year, and 22% claim they experience these cyber attacks at least once a week. Many of the companies that reported cyber security breaches also experienced a rise in phishing attacks, but a decrease in viruses and malware.

Among the 50% of businesses that reported a cyber breach or a cyber attack, one in every five experienced material loss; they lost money or data, or both. Two in every five were impacted negatively, meaning they experienced business disruptions and interruption or complete cessation of trade for a period of time. These companies needed to implement new security measures and many dealt with a shortage in staff during the aftermath.

A bit of good news: this survey discovered that businesses and charities in the UK experienced a quicker recovery after a cyber attack in 2020 compared to a cyber attack in 2017. This shows that businesses are becoming better prepared and better insured in case of a cyber security breach.

In 2020, the average cost of damages from a cyber attack for a small business was £3,230 per incident or loss. The average cost in damages for medium and large businesses was £5,220. According to the study, every year since 2016, businesses and charities in the UK have enhanced their knowledge of cyber attacks, increased their cyber security measures and carried out cyber security risk assessments.  So too have the cyber attacker and hacker become increasingly sophisticated and complex in their methods and tactics to penetrate firewalls and security systems, meaning that the risk of a cyber attack or incident has not gone away.

4. Am I covered for a Cyber Event or Cyber Incident? 

The simple answer depends on the type of insurance you hold.  Read your policy and do your research to discover what exactly your insurance includes.  Ask your insurance company or broker for the specifics so you know which cybercrimes are covered and to what capacity.  It is work checking whether you have First Party cover, Third Party cover, or both.

If you already have cyber insurance, you should also understand all the details of your cyber insurance policy. Cyber breaches that result in a negative outcome can incur significant loss, so make sure you know the ins and outs of your insurance plan, so you won’t be surprised in the unfortunate event that a cyber attack or cyber incident occurs.

It’s a good idea to keep up-to-date with cyber security issues, how they are developing and changing because it affects your business. Many companies need to implement audits and purchase cyber insurance. At the time of the survey in 2020, 50% of companies in the UK had carried out an audit and 32% were covered with cyber insurance.

5. How Fletcher Day can Help 

Fletcher Day is based in London and partner Nick Sutton in the Dispute Resolution team specialises in insurance law.

Fletcher Day can help your business with legal issues surrounding cyber insurance, including but not limited to:

  • the range of potential cyber risks applicable to your business
  • what your current cyber insurance coverage provides
  • any limits of indemnity (caps on the amount you will receive in compensation or reimbursement in the event of a catastrophic cyber event or incident)
  • any under or over insurance and what steps you need to take to address this
  • what steps to take with your broker and/or insurer to ensure that you are fully protected
  • support in relation to the cyber insurance claims process and any coverage disputes and/or quantification (valuation) of loss issues with your insurer
  • arbitration and litigation to contest and/or enforce your insurance law and contractual rights

We know that professionals such as bankers, insurance brokers and accountants often play a significant role in guiding businesses through cyber security issues as well as lawyers.  Business owners tend to start thinking about cyber risks during tax returns, audits, upgrading operating systems and switching to the cloud, but there is no time like the present to address any queries or concerns you might have in relation to your cyber insurance or commercial risks insurance cover.  Whatever your legal need is related to cyber insurance, we can help.

For all enquiries, please contact Nick Sutton, partner in the Dispute Resolution Team on +44(0)20 7870 3887 or email nick.sutton@fletcherday.co.uk  

10 March, 2022
Related Insights

Fletcher Day's excellent practice provides good quality, realistic and sensible advice, with particular expertise in the casual dining and retail sectors. - The Legal 500, 2019