What you need to know about cyber security insurance

In Information Security ByTeam Acumin / 18th September 2014

Cybercrime around the world costs something in the region of £265 billion per year, according to a recent report from Centre for Strategic and International Studies (CSIS) and McAfee. In the UK last year, some 93 per cent of larger companies reported a security breach of some kind, whilst around 87 per cent of small business were also hit by cybercrime. The accumulated cost to a corporation over the year went as high as circa £1.4 million, whilst for an SME the cost could go above £60,000.

In this context, companies are increasingly seeking some kind of fallback in the form of insurance. According to industry blogger Geoff Standbridge, cyber security has matured since policies first began appearing in the early 2000s. He wrote:

“Cyber Insurance is a much more established market with more carriers now looking to provide the appropriate cover for businesses of all sizes who are now beginning to see Cyber Insurance more as a mandatory purchase rather than discretionary.”

If you are considering buying a cyber security policy for your business, then here are some points to look out for:

Two main types

As with many standard insurance policies (motoring in particular), there are broadly two types available: first and third party. First-party policies broadly cover for the direct impact of cybercrime on your business, and ultimately yourself. A third party policy will go further, covering you for claims made against you by your customers – in other words, helping you cover for the damage inflicted on others by an incident.

First-party cover examples

First-party cyber insurance will cover your own property, but it must be stressed that ‘property’ in this context covers digital assets, such as database records, as well as physical materials such as data CDs and backup tapes. Your business will also be protected against cyber extortion (or blackmail); reputational damage; the stealing of money, or theft of valuable equipment.

Third-party insurance, on the other hand, will help cover your customers, in the event of, for instance, breaches of privacy and security. Also covered will be the expense of notifying customers and loss of customer data, including paying out compensation in certain circumstances.

There’s usually a cover limit of around £1m – £5m, with £10m pounds being available in rare cases (according to the Association of British Insurers).

The ups and downs of cyber insurance

However, it’s worth bearing in mind that cyber insurance is still quite a young industry, and in one report by the CIO Journal, the difference between the US and UK markets have been noted:

“The cybersecurity insurance market is more mature in the US than in the EU, primarily because of US states’ mandatory data-breach-notification laws.”

It’s also been suggested that the trade-off between pay outs and premiums is not sufficiently tempting for a number of UK businesses, and they remain reluctant to adopt cyber insurance.

In conclusion, this latter concern in particular could be resolved by clear wording (already in evidence from some of the big players in the industry), and up-front communications from the insurance companies, so any potential client will know exactly what they are getting from the outset.