You cannot turn on your TV or look at your smartphone without seeing another story on the latest data breach or another technology advancement to protect your data. It is currently one of the hottest topics and one which threatens individuals, small businesses, larger commercial companies, and global corporations alike.
According to a recent report there were 6,500 cyber incidents leading to data loss in 2018. Some of these made headline news – British Airways lost 380,000 card payment details, T-Mobile lost 2 million customers’ data including encrypted passwords and Facebook lost 29 million customers’ data. But it is not just the big corporations in the news who are affected; hackers and cyber criminals are targeting individuals and small businesses too. If you hold personal data you are a target and following the introduction of GDPR in May 2018, you are responsible for protecting this data and notifying the ICO in the event of a breach. You can find out more about this in our blog post from last year.
Today we will debunk 5 common misconceptions of cyber liability insurance and explain why cyber security should be the number one priority for all businesses.
1. “Cyber attacks only affect big businesses, we are too small to be a target…”
As I outlined above we’ve all seen the major corporations falling victim to cyber attacks because they have been heavily reported in the news. What you do not hear about is the small business whose employee opened a phishing email giving hackers access to all the personal data it held. Or the small solicitor firm whose emails were intercepted with a social engineering scam and a house deposit was transferred to a fraudster instead. Just because these smaller attacks are not reported in the mainstream media does not mean they don’t happen.
Cyber criminals see smaller businesses as easy targets because they often lack the resources necessary to invest in IT security or provide cyber security training to its staff. The ICO reported that 60% of small businesses fail within 6 months of an attack due to the costs involved and the reputation impact if not dealt with in the right way. A cyber liability policy provides cover for these scenarios so you do not have to pay the costs yourselves which could lead you to losing your business altogether.
2. “My commercial insurance already covers me for cyber”
The reason that cyber liability insurance is available is because it has been designed to fill the gaps of traditional insurance products. Insurance companies had businesses coming to them following an attack expecting assistance but there was nothing written into their policies to cover such an event. A standalone cyber policy provides access to an incident response team who are qualified to deal with cyber attacks. You also get a crisis management team who will manage the situation and provide PR support.
3. “We invest in our IT security so do not need insurance cover”
Not purchasing cyber cover because you have good IT systems is the same as not including theft cover because you have a good alarm system. You make sure your physical contents are protected and you need to do the same for your intellectual property. Even if you invest in your technology and people to limit the risk of an attack, they will never be 100% secure and the purpose of a cyber liability insurance is to respond and offer protection when the worst happens.
4. “We outsource our IT so I don’t need my own cover”
This will reduce your risk but it does not completely eliminate it. If you use a third party company and they have a breach the responsibility of notification still lies with you. The paperwork involved in notification and the logistics of notifying everyone affected is both difficult and time consuming; any mistakes can leave you vulnerable. A cyber liability policy will provide you with an expert to guide you through this process. Not only does the notification still lie with you but when you rely on a third party provider and they lose access so do you. The business interruption loss if you do not have cyber liability insurance in place, will be left to you .
5. “We don’t have any sensitive data so we don’t need this cover.”
Although data breach and privacy exposure is a big part of cyber liability insurance cover it is not the only thing it will cover you for. Some of the most common cyber claims are for funds transfer fraud and system damage or business interruption following a ransomware attack. In our previous solicitor example a funds transfer fraud was carried out by using a fraudulent email, the cyber criminal posed as a senior executive making an urgent request to a junior employee to make the transfer. They did not hold a huge amount of personal data but any business that transfers money from business accounts should consider cyber liability insurance. In 2017 the WannaCry and Notpetya ransomware attacks crippled manufacturing and logistic companies, they did not target personal data but rather stopped business-critical computer systems. Without a cyber liability insurance policy, the costs of rebuilding or replacing these systems is left to you.
The threat of cyber attacks is ever-present and is not going away. Hackers and cyber criminals are getting more sophisticated in their methods and the increasing connectivity of our lives mean that there are more opportunities for these criminals to obtain your data and interrupt your business. Businesses have the most at stake; it impacts your income, your reputation and can also prevent you from continuing to trade. You can take steps to protect yourselves but in the unfortunate event that you have a breach a cyber liability policy will be there to support you, provide legal assistance and provide indemnity for fines.