Cyber Insurance The What, the Who, the Why and the How…

Table of Contents

What is Cyber insurance?

Cyber Insurance is designed to protect your business from threats in the digital age – this can include data breaches or malicious cyber hacks on work computer systems. Many insurers offer a flexible range of benefits so that businesses can purchase the cover they really need, reflecting their risk exposures. There are a number of insurers now providing this type of insurance and the cover provided does vary greatly. Insurance can provide protection against:

  • Data breaches – where personal or commercial information (electronic or otherwise) is accessed without authorisation;
  • Security failure – a hacker exploits weaknesses in your security systems, leaving your business exposed;
  • Cyber attacks – any digital attack against your business;
  • Extortion – criminals holding your systems or data to ransom or threatening to publish information;
  • Human errors – mistakes made by staff or suppliers that results in a data breach or system outage;
  • Business interruption – covering the loss of income that you may suffer from a cyber attack;
  • GDPR – covering your liabilities and the cost of defending regulatory investigations after any alleged breach of data protection legislation;
  • Reputational damage – includes PR and crisis management support, and covers lost revenue or customers;
  • Financial crime and fraud – the use of the internet to deceive employees, customers or suppliers into transferring money or goods;
  • Property damage – physical damage to equipment or property resulting from a cyber attack;
  • Dependent business interruption – covering lost revenue or increased costs incurred if a supplier’s systems are taken offline by a cyber incident.

Who should take out Cyber insurance?

It is available to businesses of all sizes, from one-person operations to multi-site, multi-nationals. Your business is at risk if:
  • You hold customer or employee data including names, addresses, dates of birth, bank details and personal identity copies such as driving licence or passports
  • You use a computer to operate your business
  • You have a website
  • You take card payments
  • You make electronic payments
  • You store data in the cloud or rely on a cloud based service provider

1 in 2 businesses will be subject to a cyber attack.

Estimate, CEO of the National Cyber Security Centre

Why should businesses be concerned?

There is an increasing view that an attack against your business is no longer “if” but “when”. In a recent article, the CEO of the National Cyber Security Centre estimated that 1 in 2 businesses will be subject to a cyber attack.

At the recent EC Getting and Keeping Customers Conference, it was highlighted that the average cost of a cyber attack to a small business is £40,000 and worryingly, two thirds of small businesses do not re-open after an attack.

We have set out some real life examples of claims that insurers have shared with us:

Case Study: Ransomware Attack

The Policyholder reported that it discovered that its IT system had been infected with malware. It was subsequently discovered that the malware was ransomware identified as “ransomcrypsam.D”, a new strain of ransomware that their antivirus detection system was unable to detect. The virus quickly infected and encrypted systems throughout the organisation. All systems were locked and they closed all of their field offices and operations at its headquarters were significantly impacted. The insured received a “ransom” demand of £10,000 in bitcoin to unlock the encryption.

Total cost of the claim was over £70,000.

INSURER RESPONSE: The ransom was paid but the encryption key was not released. As a result, the policyholder was required to restore system operations from its backup files. Although the policyholder had backup files that were only a few days old, restoring full capacity system-wide took over two weeks. In addition, there was some indication of compromise of confidential information stored within the system. As a result, it was necessary to conduct a forensic investigation to determine the extent of the intrusion. There were ultimately no third party claims.

Case Study: A costly phishing trip

An employee at a financial services agency fell victim to a phishing incident in which a spoof email from one of the company’s senior managers requested that the employee transferred £226,000 to a specified bank account. Believing the request to be genuine, the employee issued the fraudulent wire and both the agency’s bank and the receiving bank were unable to recover the funds. The email was actually from a Gmail account created to imitate the senior manager’s genuine address.

Total cost of the claim was over £226,000.

INSURER RESPONSE: On realising what had happened, the agency called the insurers, and immediately engaged a data breach coach and IT forensics to confirm whether there had been any breach of the company’s systems or whether personal data had been compromised. The insurer reimbursed the money lost within a month of notification while it was confirmed that no breach of data had occurred so there was no need for any notification. Losses for payment diversion fraud can be offered as an additional cover to many standard policies.

Case Study: Advertising for Bitcoin

A PR company (with a turnover of under £1,000,000) noticed a problem with its emails. Its regular IT contractor investigated and concluded the most likely cause was malicious activity. The insured contacted us and we deployed an IT forensics team who were quickly on site to investigate and confirmed the insured had indeed been the victim of an attack. The PR company’s IT systems had been infected with cryptojacking malware to mine for cryptocurrency. They also confirmed that the hackers who deployed the malware had accessed the insured’s systems and that personal data was potentially compromised.

Total cost of the claim was over £39,000.

INSURER RESPONSE: After investigating the extent of the breach, the IT team removed the malware and plugged the gap in the PR company’s security which had allowed the breach. They then engaged legal counsel to advise the insured on its notification obligations, and then arranged the notification of the regulator and relevant data subjects.

How can you protect your business?

A claim under an insurance policy is always the last resort. There are a number of steps that can be taken to protect your business:

  • Investment in detection monitoring software – this will help you spot the early signs of malicious activity
  • Employee awareness and training – teaching employees when to spot attacks such as phishing emails
  • Backing up data – understanding what data your business has and taking steps to protect it
  • Promote remote working best practice – this will include:
    • Prevent weak passwords
    • Avoid using non work specific laptops
    • Up-date anti-virus software
    • Avoid connection to unsecure networks

Next Steps...

If you would like a quotation, please send an email to setting out the following information:

  • Name:
  • Contact Telephone Number:
  • Business Name:
  • Company Number:
  • Business Address:
  • Number of Employees:


Alternatively, if you would prefer to talk to a member of our team please call 0333 577 8232