INTRODUCTION

Cyber threats are a growing and rapidly changing threat to UK businesses of all types and sizes. Although hacks and data breaches of major companies such as TalkTalk, Sony, Target and Ashley Madison make the headlines, the reality is that smaller companies are just as likely to be impacted by a cyber-attack, which accesses confidential data or business models, steals funds or mis- programmes essential equipment.

According to PwC’s annual Global State of Information Security Survey 2016, there was a 38% increase in information security incidents for businesses of all sizes compared to the previous year. The Federation of Small Businesses (FSB) has noted that 66% of SMEs do not consider their business to be vulnerable to cyber threats. Yet the latest data shows that 74% of SMEs report they had suffered an information security breach in the past year and the average cost of the worst breach was between £75,000 and £310,800. These statistics make stark reading. The size and variety of businesses at the SME level make them a natural target for cybercrime and fraud, as companies often hold  customer data with lower levels of protection than major corporations.

This is why the insurance industry is playing a key role in supporting businesses of all sizes to both improve their resilience to cyber-attacks and to help them recover if the worst should occur. This guide sets out key features of cyber insurance policies to look for when you are seeking to insure your business. As you explore the protection afforded by cyber insurance it is also important to make sure your business is taking appropriate steps to manage the cyber risks that it faces. Checking the suitability of firewalls, updating malware protection and briefing staff on cyber security best practice are all good first steps; for a useful self-review and further advice, the Government’s Cyber Essentials scheme4 is a great place to start.

 

“74% of SMEs REPORT THE HAD SUFFERED AN SECURITY BREACH IN THE PAST YEAR”

SIX KEY AREAS TO LOOK OUT FOR IN CYBER INSURANCE POLICIES

1. CYBER BUSINESS INTERRUPTION LOSS

This is a core aspect across all cyber insurance policies. Under this agreement if an IT failure or cyber-attack interrupts your business operations, insurers will cover your loss of income during the period of interruption, including if this is caused by increased costs of conducting business in the aftermath of the attack. This can be a critical safety net as you look to recover your normal working pattern.

2. PRIVACY BREACH COSTS

This is one of the largest and most critical sections to look for in a cyber insurance policy. It is either an extended single clause or sometimes can be split into two separate clauses: “Breach Costs” and “Privacy Liability”.
“Breach Costs” protection will cover your business for costs arising from dealing with a security breach.

For example, notifying customers of a cyber breach, the costs of hiring a call centre to answer customer enquiries, the costs of public relations advice, IT forensic costs, any resulting legal fees or the costs of responding to regulatory bodies.

“Privacy Liability” protection will cover your business against claims of infringement of privacy and associated legal costs in the event of a breach. Usually this cover not only provides for payments to legitimate claimants but also the legal and regulatory defence costs arising from a privacy breach. This form of cover is especially relevant for businesses that handle or store any personal information from their customers.

3. CYBER EXTORTION

Cyber Extortion cover protects your business from ransomware and other malicious attempts to seize control of, and withhold access to, your operational or personal data until a fee is paid. This clause will typically provide for a reimbursement of the ransom amount demanded by the attacker as well as any consultant’s fees to oversee the negotiation and transfer of funds to solve the ransom request. This clause is included as standard in most cyber insurance policies and is growing in prominence as more businesses move online and the use of ransomware proliferates. Ransomware systems such as “CryptoLocker” and “Cryptowall” have accrued millions of dollars in illegal profits according to reports by law 5,6 enforcement agencies .

Paying an attacker to unlock your systems should not be the first course of action. Before any decision to pursue this course of action you should report the matter to the police, and also speak with your insurer to establish the conditions for them paying any cyber extortion expenses. Upon the resolution of a ransomware attack, your business should then look to repair the breach and improve security.

4. DIGITAL ASSET REPLACEMENT EXPENSES/”HACKER DAMAGE”

This clause protects your business from damage inflicted by a hacker on digital assets. In particular it provides protection against the loss, corruption or alteration of data as well as the misuse of computer programmes and systems. Asset replacement expenses are especially relevant for firms that rely on online business models or on automated manufacturing systems where a hack could inflict significant damage to business operations.

5. MEDIA LIABILITY

Media liability insures a business in the event that your digital media presence leads to a party bringing a claim against your business for libel, slander, defamation or the infringement of intellectual property rights. This clause is especially pertinent for companies that rely on the transmission of digital data via email or a website, rely on a large social media or digital content creation business model, or have significant advertising on their site that may lead to a liability.

6. CYBER FORENSIC SUPPORT

Cyber Forensic support is often included by insurers as a standalone clause or can sometimes be located under the more generic “Breach costs” clause explained above. In practice, cyber forensic support translates to having near-immediate 24/7 support from cyber specialists recommended by your insurer in the period following a hack or data breach. These specialists are able to assess your systems, identifying the source of any breach and suggesting preventative measures for the future. In addition, this support can often include advice on your legal, regulatory requirements as well as what steps to take to notify your customers of a data breach.

POTENTIAL EXCLUSIONS TO LOOK OUT FOR

As with any insurance policy, it is crucial to review not only what is covered by your insurer but what is excluded under the agreement. Most exclusions in cyber insurance are the same as those in other insurance policies such as war and terrorism. For cyber insurance in particular, some common exclusions to be aware of are as follows:

“COURT JURISDICTION”

It is always worth checking which territories a cyber policy applies to. While policies purchased in the UK normally include territories in the European Union and much of the rest of the world in their cover, the United States and Canada are often excluded.

“CLAIMS BY RELATED ENTITIES”

Whilst cyber insurance will protect your business from loss of customer data and any claims which arise as a result of this loss, policies do not normally include the claims for the loss of employees’ personal information who may seek redress from a data breach. This exclusion normally extends to contractors and even to partially owned subsidiaries of your business.

“BODILY INJURY AND PROPERTY DAMAGE”

Digital Asset Replacement clauses will replace losses in the digital sphere, but cyber insurance policies will not usually cover damage to physical property or bodily injury which results from a cyber incident.

“CRIME VS CYBER INSURANCE”

Cyber insurance will protect and reimburse your business in the event of loss of data as well as providing the necessary support for legal, notification and other costs in the event of a breach.
However, cyber insurance will NOT reimburse your business for a financial loss (such as a hacker stealing money from a bank account); this would be covered under a crime insurance policy which many businesses may already have.

FURTHER INFORMATION

This guide provides an introduction to the protection offered by cyber insurance, and is a starting point for those looking to enhance the protection of their business. Insurance can only ever be one part of the toolkit of  preventative measures though, and as cyber threats continue to develop it is crucial that businesses also take steps to put in place strong cyber security. More information on cyber security can be found on the cyber pages of www.abi. org.uk or at the links below, which can further your understanding of cyber security initiatives in the UK.

CYBER ESSENTIALS

(www.cyberstreetwise.com/cyberessentials) is part of the Government’s Cyber Street Wise initiative and provides businesses of all sizes with good standards of basic cyber security practice. Cyber Essentials is mandatory for businesses working on central government contracts which involve handling personal information and certain IT services. Available in two levels, Cyber Essentials and Cyber Essentials Plus, the assessments provide an identifiable certification to demonstrate that your business adheres to government standards.

THE CYBER SECURITY INFORMATION SHARING PARTNERSHIP  – CiSP

(www.cert.gov.uk/cisp) is a joint industry-government initiative for the sharing of cyber threat and vulnerability information. It is a free-to-join service provided and managed by CERT-UK. Members vary from large multi-nationals to SMEs across sectors, and the platform enables all participants to share cyber threat information. This helps increase the overall situational awareness of the cyber threat and therefore reduce the impact on UK businesses.

RESPONSIBLE FOR INFORMATION

(www.nationalarchives.gov.uk/sme) is a free e-learning course aimed at the staff of SMEs. With a focus on helping staff to understand information security and cyber risks it can be used as an introductory step towards better cyber security awareness.

CONTACT US FOR FURTHER INFORMATION ON OUR RANGE OF INSURANCE SERVICES

Tel: 0208 236 5350
Email: info@hamiltonleigh.com

ONLINE REFERENCE DOCUMENT

CYBER LIABILITY INSURANCE

As technology becomes increasingly important for successful business operations, the value of a strong Cyber Liability Insurance policy will only continue to grow. The continued rise in the amount of information stored and transferred electronically has resulted in a remarkable increase in the potential exposures facing businesses. Regulations, such as the Data Protection Act must also be considered, because a loss of sensitive personal information may subject you to fines and sanctions from the Information Commissioner. In an age where a stolen laptop or hacked account can instantly compromise the personal data of thousands of customers or an ill-advised post on a social media site can be read by hundreds in a matter of minutes, protecting yourself from cyber liabilities is just as important as some of the more traditional exposures businesses account for in their general commercial liability policies.

WHY CYBER LIABILITY INSURANCE?

A traditional commercial insurance policy is extremely unlikely to protect against most cyber exposures. Standard commercial policies are written to insure against injury or physical loss and will do little, if anything, to shield you from electronic damages and the associated costs they may incur. Exposures are vast, ranging from the content you put on your website to stored customer data.
Awareness of the potential cyber exposures your company faces is essential to managing risk through proper cover.

POSSIBLE EXPOSURES COVERED BY A TYPICAL CYBER POLICY MAY INCLUDE:

Data breaches – Increased online consumer spending has placed more responsibility on companies to protect clients’ personal information.

Business/Network Interruption – If your primary business operations require the use of computer systems, a disaster that cripples your ability to transmit data could cause you or a third party that depends on your services, to lose potential revenue. From a server failure to a data breach, such an incident can affect your day to day operations. Time and resources that normally would have gone elsewhere will need to be directed towards the problem which could result in further losses. This is especially important as denial of service attacks by hackers have been on the rise. Such attacks block access to certain websites by either rerouting traffic to a different site or overloading an organisations server.

Intellectual property rights – Your company’s online presence, whether it be through a corporate website, blogs or social media, opens you up to some of the same exposures faced by publishers. This can include libel, copyright or trademark infringement and defamation, among other things.

Damages to a third-party system – If an email sent from your server has a virus that crashes the system of a customer or the software your company distributes fails, resulting in a loss for a third party, you could be held liable for the damages.

System Failure – A natural disaster, malicious activity or fire could all cause physical damages that could result in data or code loss.

Cyber Extortion – Hackers can hijack websites, networks and stored data, denying access to you or your customers. They often demand money to restore your systems to working order. This can cause a temporary loss of revenue plus generate costs associated with paying the hacker’s demands or rebuilding if damage is done.
Cyber Liability Insurance is specifically designed to address the risks that come with using modern technology; risks that other types of business liability cover simply won’t. The level of cover your business needs is based on your individual operations and can vary depending on your range of exposure. It is extremely important to work with a broker that can identify your areas of risk so a policy can be tailored to fit your unique situation.
As reliance on technology continues to increase, new exposures continue to emerge. As your business grows, make sure your cyber liability cover grows with it. Hamilton Leigh is here to help you analyse your needs and make the right cover decisions to protect your operations from unnecessary risk.

DIRECTOR’S & OFFICERS’ LIABILITY

“D&O is an essential element of your insurance programme in today’s increasingly litigious society”

Executive and non-executive directors are increasingly accountable for their actions under changing legislative and regulatory frameworks and given evolving attitudes and expectations regarding corporate performance.

The main external changes underlying this increase in the personal liability of directors are changes in legislation and regulations in the areas of corporate governance, employment law, health and safety, etc. and the increasing powers of regulators. Moreover, there is a new focus on the communication of information to shareholders, and a greater willingness of shareholders and other third parties to sue.

Some of the more frequent causes of claims against directors and officers include:

  • Stock price volatility
  • Poor financial condition
  • Mergers and acquisitions (M&A) activity
  • Insider trading
  • Financial restatements
  • Failure to disclose problems relating to the purchase of a subsidiary
  • Accounting irregularities

CRITICAL QUESTIONS THAT YOU NEED TO CONSIDER

Have you recently reviewed the scope of cover granted under your D&O policy? D&O is a complex product, with a wide variation in the breadth of cover from different providers.

The Extradition Act 2003 provides the USA and other countries with extensive powers to instigate extradition proceedings against UK directors and officers. Will your D&O policy cover the costs associated with resisting these proceedings?

Are your board members fully aware of the conditions and exclusions of your D&O policy? Non-executive directors in particular are keen to understand the amount and scope of cover available, to satisfy themselves that they will have access to sufficient defence costs in the event of a claim.

In the changing claims environment, have you reviewed the adequacy of limits and programme design?
Will your policy be able to meet the evolving needs of your business, especially if it ventures into new jurisdictions?

ENVIRONMENTAL LIABILITY

While UK organisations have become better at preventing pollution through physical controls, there
is still a tendency to overlook or underestimate less obvious forms of environmental damage.

Some organisations can discover too late that their environmental insurance cover within their policies may be very limited and not comprehensive enough and managers may not even be aware that they are personally liable for damage.

In addition, organisations may unknowingly assume environmental liabilities. Business transactions such as mergers and acquisitions can involve historical liabilities being passed from one party to another, for example.

Society is increasingly unwilling to tolerate harm to the environment, and those businesses that are perceived to be irresponsible can expect considerable censure from the media and public.

CRITICAL QUESTIONS YOU NEED TO CONSIDER

  • Are you aware of the available insurance solutions that can close off historical liabilities in M&A transactions?
  • Do you have adequate cover for the new EU Directive on Environmental Liability, which carries new responsibilities for remediation?
  • Have you weighed the cost of your insurance cover with the potential financial liabilities that you face if you do not have adequate insurance protection?

INTELLECTUAL PROPERTY RIGHTS

WHAT IS INTELLECTUAL PROPERTY RIGHTS INSURANCE?

Intellectual Property Insurance coverage protects companies for copyright, trademark or patent infringement claims arising out of the company’s operation. It pays the defence costs and any judgement up to the policy limits.

WHEN DO I NEED INTELECTUAL PROPERTY INSURANCE?

You need Intellectual Property insurance if the threat exists that you could be sued by a competitor for infringing on an idea or intellectual property belonging to someone else.

As long as you are not aware of any known infringements or violations, you can apply for insurance to protect your trademark or patent. However in order to get coverage, you will be required to prove that you have completed an Intellectual Property search, or have filed a registration for a trademark, service mark, copyright or patent.

THE POLICIES CAN OFFER YOU SUCH WORDINGS AND INSURANCE AGAINST THE FOLLOWING AREAS:

  • Legal expenses to defend your rights
  • Legal expenses to enforce your rights
  • Legal expenses to defend your agreements
  • Damages awarded if your defence is unsuccessful
  • Expert witness, enquiry and attendance expenses
  • Intended to apply to UK registered companies, firms or individuals within UK law
  • Claims against non-UK companies etc should be allowable if under UK law
  • Cover for non-UK companies etc may be available
  • Cover for Customs and Excise fees to monitor imports for surveillance of counterfeit goods

WHY DO I NEED INTELLECTUAL PROPERY INSURANCE?

A competitor can financially wreck your company if you do not have the funds to hire a solicitor and pay the cost of all the legal fees associated with defending your right to a patent or trademark. An Intellectual Property policy will pay the costs to defend you if someone tries to claim the rights to the same business model, process, or application.

More than ever before, intellectual property claims involving infringement of patent, copyright and trademark are being filed and litigated at a tremendous cost to both parties.

Few standard insurance policies protect businesses from loss or damage to their intellectual property; however, a growing range of policies aimed specifically at intellectual property are available and businesses would do well to consider whether such a policy is available that is right for them.

A number of criminal and civil offences exist in copyright law. Careful consideration needs to be given to determine if the offence is indeed criminal or if it is a matter that can be resolved under civil law. Intellectual property laws vary greatly from country to country. Many developing countries and even some former Soviet and eastern European countries have insufficient protection for copyright holders, either due to a reluctance to enforce existing intellectual property laws or because such.

PROFESSIONAL INDEMNITY

Professional Indemnity should be considered and may even be compulsory for some businesses that offer a professional service. This includes traditional professionals such as architects, solicitors and accountants, but also new professionals such as technology service providers, environmental consultants, publishers and some manufacturers.

There is also an increasing need for companies providing design or informal technical advice to hold suitable indemnity cover against errors and omissions.

A Professional Indemnity policy will generally include protection against claims arising from:

  • Breach of professional duty or civil liability
  • Legal costs in defending a claim
  • Libel and slander
  • Liability for loss of documents
  • Liability for unintentional breach of copyright.

Professional Indemnity policies vary considerably in wording and it is essential that cover is arranged to protect fully against the risks run by the business.

Hamilton Leigh has over 20 years’ experience working with clients to ensure that the correct scope of cover is arranged, utilising a number of specialist Professional Indemnity Underwriters.

CONTACT US FOR FURTHER INFORMATION ON OUR RANGE OF INSURANCE SERVICES

Tel: 0208 236 5350
Email: info@hamiltonleigh.com

Terms of Business Legal Disclaimer Privacy Policy and Cookies Policy Complaints Procedure Modern Slavery Act Statement
WordPress Image Lightbox Plugin
Lee Cohen
Lee Cohen

Managing Director

Lee entered the insurance industry in 1981 and together with Jill Hamilton, founded the business of Hamilton Leigh in 1987. In addition to many other business sectors, Lee works with the retail automotive and valeting sectors, advising them on their motor trade insurance and risk management programmes.  Lee is well known within the industry as a thought leader, presenting industry specific seminars across the UK and often found sharing his wide insurance and risk management knowledge across media outlets. Lee lives in Hertfordshire and his interests consist of being continual banker to his two grown up daughters, supporting Tottenham Hotspur, golf, fitness and travel.

t 020 8236 5350

e leecohen@hamiltonleigh.com

×
Jill Hamilton
Jill Hamilton

Broking & Operations Director

Jill, a shareholding director of Hamilton Leigh, has worked in the insurance industry since 1979. She began underwriting for a major composite insurance company on graduating from Reading University, earned her ACII qualification in 1983 and moved to broking in 1988. Jill is a huge Chelsea FC fan and goes to games regularly with her family and friends.

t 020 8236 5350

e jillhamilton@hamiltonleigh.com

×