Should I insure my company against cybercrime?
UK businesses are under attack, so is it time to guard against the cybercrime threat in the same way we do floods and fraud?
Relatively few firms are insured against cybercrime. The government's Cyber Security Breaches Survey 2016 found that just "two-fifths (37%) say they have some form of cyber security insurance. This is significantly less common among micro-firms (30%) than among small (47%), medium (48%) and large (40%) ones. It is also a more regular provision in education, health or social care organisations (52%), and is much less prevalent than average in construction or manufacturing firms (22%)."
However, these numbers mask a more serious problem, which is the extent of the cover the firms think they have versus the reality. Insurance industry estimates put the number of companies that believe they have cover, when they don't, at around 40%. Now would be a good time to dig out your policy and check if you're among them.
"Businesses shouldn't see this as a 'nice to have," Tarling argued. "It should be seen as part of your essential business planning in the same way that you'd insure your property against fire or flood."
Stephen Ridley, of insurer Hiscox, which has offered cyber-insurance since 1998 and seen take-up treble in the past year, has advice for first-time buyers. "Look out for policies that specify minimum security conditions in the policy wording. Ask whether it's a ground-up or top-down policy do you start with a basic package onto which you'll need to bolt extra features, or does your insurer offer you everything as standard?"
The latter will give the best peace of mind, but Ridley advises asking how your chosen provider would handle a claim, too. "Do they just sign over a cheque and tell you to use it to sort out the problem yourself, or do they have people who can come in and help? We have a panel of expert firms, IT forensics, PR and legal consultancies who are always on call, 24/7, to help mitigate the longer term reputational damage that can be done."
Tarling also talks of sourcing cover for "internal business losses, privacy breaches, cyber-extortion and hacking damage" as well as cyber forensics support, and highlights the fact that "a lot of insurers can also provide risk-management services to help businesses assess where they may be vulnerable and advise on which steps could be taken".
Many businesses handle large amounts of personal data, some of it sensitive, and as users we put a lot of trust in their ability to keep it safe.
As Alex Mathews, EMEA technical manager at cyber security firm Positive Technologies explains, "as people wake up to the sensitivity of the data stored about them... they become more protective. [If a company loses that data then] they vote with their feet and walk away. It takes a lot of time and money to acquire new customers, but only seconds to lose them."
Positive Technologies' research into the impact on customer loyalty of a data breach indicates that almost a half of respondents would cancel their accounts, a third would avoid using that company in the future, and a quarter would go so far as joining a class action suit against the firm holding their data.
Cover for the latter, which Ridley calls cyber liability cover, is included with many policies, but fewer of them focus on it than in the early days of cyber-insurance. He said most businesses are interested in protecting themselves against unexpected costs or loss of earnings.
The price of a policy will depend on the nature of your business, and the amount and type of data you'll be gathering. An ISP would buy cover worth several tens of millions of pounds, with the risk shared between multiple insurers, usually arranged via Lloyds of London. Yet Hiscox has seen interest in policies filter down to even one-person startups in recent years as cybercriminals shift their attention to low-hanging fruit. For small businesses such as this, premiums in the region of 150 per annum should give cover of up to 100,000.
Personal data security
Anyone who has made an insurance claim will know that once you've been compensated, it can take time to get back on your feet. An insurance policy is no substitute for ongoing care and attention to your data security, even if some insurers maintain a surprisingly generous approach in this respect (many, for example, will provide cover for both internal negligence and external malicious actions, but check with your provider before signing on the dotted line).
Also, even though you might prefer to keep a data breach private, the law makesnotification to the Information Commissioner's Office mandatory for many firms. Worse, while you're morally obliged to warn your customers, there may also be a legal requirement there.
Holding another person's data, whether that be their documents, their accounts or their credit card details, is a modern-day responsibility that must be undertaken with all due seriousness. As the Association of British Insurers' Malcom Tarling reminds us, "cybercrime is no longer the domain of only the larger multinationals".
This article originally appeared in PC Pro