In 2015 the Lloyds market wrote £322m worth of cyber policies. In 2016 this is expected to rise to £500m. Yet take up of cyber insurance in the UK is lagging far behind that of the US; despite numerous warnings from GCHQ about the threat posed to British businesses by cyber-attacks.
So where to start? If you are a CEO, Board member or CIO considering purchasing cyber insurance, here are a few useful pointers:
- Value at risk – have you worked through a plausible worst case scenario for data loss? What is the potential financial impact? By the time you have added up notification costs, business interruption costs, the cost of IT forensics, remediation work, contractual claims, regulatory penalties and PR costs the figures can start to look quite scary, that is before you even start to think about the reputational damage that might accrue. You don't have to be a large business to have a lot of value at risk.
- Treat before you transfer – cyber insurance is about transferring residual risk. Before you seek to transfer that risk, you should make sure it is as low as possible. Do you have a cyber security programme in place? In the event of a cyber-attack or other data loss incident you will need to be able to re-assure your clients that you have taken reasonable and proportionate steps to defend your business from cyber risks. If you do decide to take up cyber insurance the underwriters will look at your cyber defences in order to price the risk.
- Existing cover – what does your existing Professional Indemnity provide for? It may be that your existing policies indemnify you against certain claims from third parties arising from the loss of data. However, the policies themselves are unlikely to cover you for first party losses of the kind that can quickly accrue from a cyber incident. It is worth talking to your broker to check the current situation.
- Mind the gap – if you wish to purchase specific cyber cover, make sure you have an in depth conversation with your broker and you feel really comfortable with the extent of the cover you are buying. The cover needs to be specifically tailored to your firm. A recent example in the US – PF Chang's China Bistro v Federal Insurance Co – highlights some of the key issues in the limits of cyber cover. In that case the insured, a Chinese restaurant operator, discovered too late that they were not indemnified for claims against them from MasterCard, associated with the theft of credit card data. There have been various examples in recent times when hackers have targeted third parties, which may have been outside the scope of the insurance cover. This is worth checking.
- Exclusions – we know from leading forensic investigations into cyber attacks that it is often possible to find internal weaknesses that could have inadvertently enabled the attacker. It is important to make sure that this would not be deemed negligent by the insurer and therefore impact the quantum of any pay out in the event of a claim.
In 2012, Robert Mueller, the then Director of the FBI, said that there were only two types of company; "Those that have been hacked, and those that will be." Also in 2012, the new British Prime Minister, Theresa May, stated while then Home Secretary that "Cyber-crime is a serious problem which affects businesses of all sizes and can have devastating consequences". While US businesses appear to have taken heed, UK businesses have been slower to the uptake.
Of course, cyber insurance in itself will not protect a business against a cyber-attack, but what it will ensure is a degree of financial cover for when it does happen. As Martin Camp, Divisional Director at Lark Insurance comments, "After a system is breached, things can get really bad... (because) organisations are to failing to ensure they have sufficient insurance in place to protect themselves for after the worst has happened".
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.