By George Ralph, RFA – Whilst popular in the US, here in the UK, cyber liability insurance is slowly gaining traction but hasn’t yet reached a level of widespread adoption.
Possibly because firms in the US have clearer liabilities where customers’ data is concerned, with a mandate to notify all clients of the breach, in writing, whereas in the UK, the costs associated with a cybersecurity incident, or data breach are less clear, varying from industry to industry, and between firms of different sizes. The imminent GDPR could change things, but we have yet to see that happen.
All cyber insurance policies are different, offering many different features, so it’s worth taking the time to investigate thoroughly.
Cover can be first party, where you are covered for data loss, or damage, caused by malicious or accidental means, or third party, where you are covered for costs incurred by third parties, or employees, or both.
A typical policy will cover the cost of crisis management. This could include the expenses incurred by a firm to manage an incident from investigation, to remediation, legal costs, court fees and any fines imposed by the regulatory authorities. This is possibly why cyber insurance is more popular in the US, as firms there are mandated to notify customers in writing if they experience a data breach which could affect customer data. The cost of this alone can be huge, for firms with a large number of customers.
Many policies offer compensation for loss of income while business has been interrupted due to a cyber incident and some include hacker damage, with repair, restoration or replacement costs covered in the event of a data hack.
Some policies cover losses which have occurred as the result of an extortion scam. Although it is worth checking this, as there have been a number of high profile cases where insurers have not paid out, because the extortion did not happen on the computer network, but came as a result of a target email phishing scam, where a senior executive was targeted with a bogus email and subsequently transferred funds.
Some policies offer network security liability which covers third-party damages as a result of denial of access, costs related to data on third-party suppliers and costs related to the theft of data on third-party systems.
In addition to financial compensation, many insurance companies will provide you with expert advice with a view to minimising your loss and the possible damage to your business. This could include specialist public relations support if a claim looks likely to damage the reputation of your business. Someone from the PR team is one of the key members of the cyber incident response team, so this could prove a valuable resource.
So, do alternative investment firms in the UK need to consider cyber liability insurance? With GDPR looming, yes. Firms could be fined up to 4% of their global turnover if they experience a breach of personally identifiable data, which could run into the millions. If you are considering insurance, you will need to do some thorough research first. Not all policies have the same level of cover and not all cover human error, which is one of the biggest causes of data breach. It could be argued that firms may be best placed investing more in training and awareness for employees, than in cyber insurance.
In fact, firms that invest in robust cybersecurity planning, with clear policies and procedures, multi layered security solutions and well trained staff who understand the risks around handling data, will not only be better protected generally, they will actually be preferred customers for cyber insurance companies and may be offered lower premiums. In regulatory terms, in the event of a breach, if a firm can demonstrate that they have taken reasonable steps to protect themselves, the fine imposed by the regulator could be less or even avoided altogether.
It’s important to remember that insurance cover is limited in scope and commands higher premiums as breaches increase in frequency. Cyber insurance cannot be a solution or defence in its own right. There is very little an insurance policy can do to prevent cybercrime. Firms should look to cyber insurance as complimentary to a robust cyber security strategy which incorporates threat intelligence, incident detection and a multi layered architecture which is geared towards prevention. Add this to regular employee training and these are still the best ways of ensuring that data remains safe.