"There's more cyber-enabled crime than all other crimes put together," said Duncan Sutcliffe, director of Sutcliffe & Co Insurance Brokers. "Yet here we are insuring against fire, flood, burglaries, while only 5% of businesses are buying cyber insurance."
Sutcliffe admits that it's a hard sell. Cyber insurance doesn't cover anything tangible, such as a building, car, or office full of computers, yet the potential for damage caused by a data breach, leak or unauthorised server penetration can be far more serious than the loss of hardware.
"Cyber is an extension to a lot of traditional insurance policies," said James Brady, head of cyber for specialist insurance provider Hiscox, who has seen increased interest in policies since the introduction of GDPR. He acknowledges that physically focused insurance - against fire or theft of property - is well understood, "yet you're statistically more likely to make a cyber claim than have a fire... employees are very susceptible to social engineering, phishing attempts, and so on, and that could lead to a claim."
Buying cyber insurance
Every policy is tailored to the business taking it out, and although the questions asked at the outset will sometimes be determined by turnover (Hiscox is launching a new product in early March aimed at businesses with annual earnings of less than 1 million), the kind of data they handle and the business model also play a part.
The policy price "depends on revenue, industry, number of employees and so on," said Brady, "but they'll certainly get a more favourable premium if they have the relevant IT security accreditations - and, from a cultural perspective, if they appreciate the exposure that cyber is these days and they're doing everything within their means to mitigate the more employee-negligence-driven errors."
Cyber Essentials Accreditation, ISO 27001 certification and ongoing staff training can help reduce premiums precisely because they also help reduce risk.
Things like this are helpful to have, said Sutcliffe: "They [may] determine whether you can buy insurance and how much it might cost. Most insurers state certain minimum requirements, like backups, firewalls and so on.
Encryption is one that they use a lot, but that's such a vague and woolly phrase that even IT experts argue over it. With regard to Cyber Essentials, it's a recommendation from us, really. There are some insurance companies that will give discounts for it and there are some that will only ask you to fill out a shorter application form if you have it [but] I'm not aware of any that say it's compulsory."
This doesn't mean only large players, who can invest in staff development, should consider cyber insurance - and, indeed, Sutcliffe counts "one-man bands" among its customers. Hiscox, meanwhile, recognises that not every business has the resources to put its staff through certification or accreditation, and hosts customer training that could help.
"We offer a Cyber Care Academy, which is a value-added service for customers who potentially don't have the means or the internal structure to put a training platform in place, that will educate their employees against things like phishing attempts and social engineering," Brady said.
Do I need it?
Increased take-up of cloud services, such as Office 365 and G Suite, as a substitute for on-site infrastructure has the potential to breed complacency. Backed by two of the biggest players in IT, such services can justifiably make reassuring claims regarding security. However, says Sutcliffe, thinking this means you can manage without cyber insurance would be short-sighted.
"Using something like Office 365 doesn't mean you're not going to send a confidential email to the wrong John Smith - or your entire address book. It doesn't mean you can't receive malicious software, and where GDPR's concerned, you're still legally responsible for the data. If you lose it or it gets pinched, it's your business that's going to be on the hook, whether [Microsoft] is involved or not."
Cyber insurance can help recoup the costs of lost data, regulator fines, malware ransoms and even the damage done by negative SEO, but the full benefits go far further, argue both Sutcliffe and Brady.
If the worst does happen, cyber insurance will put you in contact with a panel of experts who can help limit the damage
"You're buying access to a panel of industry experts in a very short space of time," explained Brady. "If you suspect that a breach has occurred, you as a small business are unlikely to have knowledge, understanding or awareness of who these experts are or how you would go about engaging with them in the event of a cyber incident."
"The first thing a business owner would do is call the insurer's helpline for an emergency response," said Sutcliffe. "Many of these have a 24-hour helpline, which puts them in touch with a technical team, legal team and crisis management PR team. It depends on the scenario what the priority is, but you can imagine most business owners, including those with their own in-house IT people, will be suddenly asking 'what am I going to do? What's happening here?'"
In many respects, buying a cyber insurance policy is akin to time-sharing an additional, multiskilled team that only kicks into action when required. They may sit dormant for years - at least as far as your own business is concerned - but they'll hit the ground running when disaster strikes, and time is of the essence.
In Brady's words, "looking at this through a GDPR lens... you've got a 72-hour clock that starts ticking as soon as you suspect a breach has occurred to notify the regulator [meaning] you need to get things moving pretty quickly at the outset. That, for me, is the key benefit for a potential policy holder."
Insurance for your clients
All of these are first-party losses, which are sustained by the policy holder, but any initially "local" problem can quickly spread. While helping with your own issues, the experts that come as part of a cyber insurance policy will reach out to your clients and suppliers to investigate the full extent of any damage and offer support where required.
"If data subjects have been affected by the breach, you have got claims potentially being brought by them and liabilities owed to them, as well as the cost associated with the regulatory investigations," said Brady.
If your company has been hit by a virus, explained Sutcliffe, "a cyber insurance policy would offer [your] customers a credit monitoring service in case it's spread to them, [which will] check that they've not started to lose money."
In this respect, taking out a policy is as much about being a responsible player as it is a measure of protecting your income and reputation.
As with all insurance policies, it's no good waiting until you have suffered an attack, so it's some consolation that while take-up may still be modest, it's rising. Hiscox has "seen upticks across the board", not all of which was driven by the advent of GDPR.
Moreover, where once it was only the big players - who had the resources to calculate risk in house - that understood the benefits of cyber insurance, what Sutcliffe calls the "little boys" are starting to catch on.
"That's where our bread and butter is, and sales for policies [in this market] are going like hot cakes," he said. "To say it was doubling every year would be an understatement."
