Cyber-attacks are showing no signs of abating and 2018 was a year that proved the need for businesses to have processes in place, not just to prevent digital data breaches and other related incidents, but also to deal with situations that do arise, and mitigate damage both to the business and to the end victims: those whose data has been compromised.
British Airways, Marriott International, FIFA, Cathay Pacific, Quora, Reddit, Facebook, Uber and even Google+ were all victims of data breaches in 2018, and those are just the big names that hit the headlines. Data breaches happen throughout the world of business. Any organisation that employs any form of digital process is open to a cyber-attack.
Warning: Cyber risk insurance is NOT usually covered by a commercial combined policy
With such a continuous run of high profile data breach stories, it may be assumed that business leaders would be queuing up to take out a cyber risk insurance policy.
News reports in December however presented a very different story, with numerous businesses failing to take out such cover for various reasons, the most common of which being a belief that cyber-attacks and data breaches were already covered by a commercial combined policy. This is generally not the case: cyber risks are usually only covered by specialist cyber risk insurance.
What’s more, for those businesses that do invest in a cyber risk policy, the November 2018 Cyber Risk & Insurance Report by Mactavish highlighted differences in the cover they think they have, and the reality of what they actually have.
Not all cyber risk policies are created equal
The report, as documented in Insurance Business, noted that some policies limit their cover to events that are triggered by unauthorised activity or attacks, and do not provide cover for issues relating to accidental errors or omissions. Sometimes data breach costs are also limited, for example only the costs that the business is strictly legally required to incur would be covered, rather than the more widespread costs that a business would face in reality.
A great deal of confusion also arises because many businesses believe that cyber risk insurance covers the direct loss of funds, such as in instances of social engineering, employee theft or forgery. Again this is not generally the case; should cover be required for these risk types, then a crime insurance policy would be required.
Cyber policies versus crime policies
Social engineering is a growing risk as methods employed by fraudsters become more and more sophisticated. Typical cases of social engineering involve fraudsters posing as directors or suppliers of a company in order to gain access to information or money. Emails from a ‘director’ to his finance manager requesting a transfer of funds to a new bank account, or from a ‘supplier’ notifying a change of account details for a payment are just two examples of social engineering. In most cases the lost funds are not recoverable. This is why a crime insurance policy can prove a wise investment.
Cyber risk insurance, depending on the individual policy, can provide cover for breach related costs (forensic investigations, notification processes, customer support and public relations), and privacy protection (defence and settlement of claims made against you for data protection failings, and any regulatory actions). Cover can also be arranged for business interruption caused by a cyber-attack; for cyber liability; for hacker damage and for cyber extortion.
What to do next
The overriding message is to check your policies to ensure you are covered for everything you believe could pose a risk within your business. Using an independent insurance broker will allow you to attain cover that is tailored to your specific levels of risk and your individual business needs and circumstances.
2018 was a busy year for cyber-attacks and data breaches: it’s time to make sure your business doesn’t get caught out in 2019. Talk to us today about cyber risk insurance: we’re here to help.