Biz Extra

Published: April 19, 2022 | Updated: April 19, 2022

Matt Williams, Head of Office, Gallagher Poole, on protecting your business from cyber threats

By Andrew Diprose, editor

In a recent survey, one in five UK businesses polled had been hit by a ransomware attack in 2021, up 58% on 2020*, writes Matt Williams.

Yet despite this increasing risk, we often see businesses overlook the need for cyber insurance or in some instances, assume they have cyber protection in their standard business policy.

As we continue to change our ways of working, bringing in new technologies and increase remote working, specialist cyber insurance is becoming increasingly important.

+++

What is ‘cyber’?

The original intention of a cyber liability policy was to protect the policyholder from claims arising from third parties e.g. the inadvertent transmission of a computer virus and dealing with the subsequent legal action (in a similar way as a public liability insurance protects against damage or injury to third parties).

Modern cyber policies have evolved beyond this as most claims are now for losses suffered by the policyholder themselves arising from theft of own funds or data or damage to digital assets.  A cyber policy whilst continuing to provide liability cover, is now more similar to a property policy than a liability insurance.

What type of claims can a cyber policy deal with?

The simple answer is protection against criminal activity arising from the use of technology and the internet. Cyber claims tend to fall into three broad categories

  • Theft of Funds – Basically, theft of money via electronic means from your bank account.
  • Theft of Data – In order to commit identity theft, criminals need your data and lots of it.
  • Digital Assets – Damage or the threat of damage to your digital assets can result in extortion and payment of a ransom, as well as the issue of fixing any damage done.

Unfortunately some of our clients have experienced this first hand, as can be seen in these recent claim examples;

  • An employee accidentally sent a document to all customers which contained the personal data of their customer base resulting in significant legal costs, compensation, ICO costs and data recovery – total cost £1,006,919.
  • A client had their server encrypted and a ransom to release was demanded. Substantial forensics and recovery of data costs paid as well as a large business interruption claim – total cost £348,484.

Whilst both of these examples include large financial costs, neither takes into account the reputational damage that can be incurred in the event of a cyber attack.

How does a cyber policy work?

A comprehensive cyber policy will have various sections of cover to assist in the event of a cyber issue or loss.

  • Incident Reponses – The costs in responding to a cyber incident in real time with insurers appointing specialist support. This could be IT security or forensic engineers or legal advice to deal with a data breach.
  • Extortion – Costs in responding to fraudsters attempting to extort money by threatening to expose or destroy your data.
  • System Damage & Business Interruption – Cover can also pick up the costs and loss of profits, in dealing with system damage and restoring IT systems and applications as quickly as possible,
  • Social Engineering/CEO Fraud – Along with cyber extortion, this is one of the fastest growing forms of cybercrime. This is where a fraudster imitates a supplier and tricks the victim into transferring money to the wrong bank account.
  • Liability/Regulatory Fines – This could be infringement of intellection property, defamation or as previously mentioned transmission of malware to a third party. The policy will also include the cost of certain fines following a data breach (where permissible by law).

All policies are different and the policy coverage can vary significantly between policies.

It is important that your cyber liability policy be fit for purpose for your business, there are several factors and questions to consider;

  • Multi-Factor Authentication (MFA) is now a minimum requirement for many insurers. If you don’t have this in place and there is a policy clause that insists on it then insurers may not deal with a claim.
  • Cyber policies generally do not automatically extend to include cybercrime, cover has to be specifically extended to include this cover.
  • Check to see if your policy limits are aggregated or if they are on an ‘any one-claim’ basis. Aggregated limits can quickly be exhausted especially if multiple claims are submitted in the policy year.
  • Are your policy limits adequate? We have access to tools from insurers that we will calculate how much a ransomware attack might cost your business – you may be surprised!

Cyber can be a complex area of your insurance programme – if you would like more information or would like a quotation then please contact Matt Williams.

matthew_williams@ajg.com

01202 647400.

* Taken from research conducted by Opinium, between 9th – 16th September 2021, among 250 senior IT leaders in UK businesses.

The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.

Arthur J. Gallagher Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: Spectrum Building, 7th Floor, 55 Blythswood Street, Glasgow, G2 7AT. Registered in Scotland. Company Number: SC108909.