In today's digital age, cyber threats are more pervasive and damaging than ever before. From data breaches and ransomware attacks to system disruptions and reputational damage, businesses face an increasingly complex array of cyber risks. As these threats grow in sophistication, the need for cyber insurance is imperative. In this article, we explore the key benefits of cyber insurance, what it covers and why it's crucial for businesses of all sizes to consider cyber insurance as part of their overall risk management strategy.

Benefits of Cyber Insurance

According to the Willis 2023 Directors and Officers Liability survey, the top three risks that directors and officers are concerned about are cyber attacks, data loss and cyber extortion.

A cyber insurance policy is an intrinsic part of any company's risk management strategy. It enables a company to protect its balance sheet by way of transferring risk to a third-party supplier. Although a policy can't prevent a cyber incident from occurring in the first place, a policy can provide the forensic help to bring the incident to a halt and restore a company's systems as swiftly as possible, as well as covering the costs of the consequences and assist in mitigating the reputational impact.

Companies are advised to understand the extent of their exposure to cyber risks before they seek to take out a policy. The process of procuring cyber insurance thus assists with compelling the board to identify where in their business they are most vulnerable, and to quantify the financial impact of possible worst case scenarios. Cyber insurers will anyway require their policyholders to have a minimum level of cyber resilience before agreeing to accept the risk, so companies will be encouraged to assess and improve their controls, as well as implementing effective crisis management protocols.

If your business is a supplier, then having cyber insurance can be used as a form of accreditation. It will demonstrate to customers that you have identified potential systemic risks and sought to address them.

What does a cyber policy cover?

A policy will provide an indemnity in respect of both first party costs, and third party costs.

As regards first party cover, a good policy will typically include:

  • Business interruption losses – both loss of profit and increased cost of working, often limited to a maximum time during the period of actual network interruption i.e. 90 or 120 days. Cover for losses caused by a cyber incident in the supply chain is becoming increasingly more widely available;
  • Cost of an IT forensic expert;
  • System restoration/data recovery costs;
  • Breach response costs (including costs of notifying customers, manning a call centre, legal advice, credit monitoring services);
  • Cyber extortion (including the cost of specialist ransom consultants, and in most (but not all) cases, the ransom payment itself);
  • Cost of a PR expert to mitigate reputational damage.

As regards third party cover, this commonly includes:-

  • legal defence costs, and damages and costs awarded against you, in the event of claims from third parties such as non-compliance with the General Data Protection Regulation (GDPR) and failing to keep personal data secure;
  • legal defence costs, and damages and costs awarded against you, in the event of claims against you such as defamation or intellectual property infringement (useful if you transmit digital data via email or a website, have substantial advertising on your website, or rely on a large social media or digital content creation business model);
  • legal defence costs in the event of a regulatory investigation i.e. by the Information Commission Officer (ICO).

What does a cyber policy not cover?

  • Future loss of profit/fall in share price caused by reputational damage;
  • Damage to property (other than damage to computer equipment specifically covered);
  • Fines and penalties uninsurable as a matter of law (cover for fines from the ICO for breach of the GDPR is currently a grey area, as there has not yet been any court ruling on this issue. In the event of insurers declining cover, policyholders should require a reasoned explanation);
  • The most widely used of the war exclusions meeting Lloyds guidelines (which focus on ensuring clarity and understanding in insurance policies), excludes all losses arising out of war, and all losses arising out of cyber operations that take place as part of a war. Cyber attacks deployed by nation states outside of a war may or may not be excluded, depending on the specific facts. Only those losses arising from affected computer systems located in countries that are the direct targets of cyber attacks are excluded, meaning that there can be cover for indirect damage caused to systems in countries that are not the direct target. The scope of insurers' war exclusions differ considerably though, so this should be carefully examined; .
  • Many policies will not cover the cost of implementing new technology and systems beyond the specification that existed prior to the incident, so as to improve cyber resilience going forward;
  • Social engineering fraud is often not covered as standard but may well be available by way of an optional extension, upon payment of an additional premium. This fraud is where funds are voluntarily transferred by an employee to a third party due to fraudulent transfer instructions, often from someone impersonating a senior manager. Any cover available will usually be subject to a specific deductible and a sub-limit. You should make sure you understand exactly what is covered here, as social engineering fraud can sometimes be restricted to scenarios where the policyholder's network is also compromised, which is often not the case.

Why do I need a standalone cyber policy, if I have cover for cyber incidents in other policies?

Research shows that many businesses are reluctant to purchase a cyber policy, thinking that they already have adequate cover for cyber risks by virtue of their other insurance policies. This is rarely the case, however.

Property all risks policies, for example, might provide you with cover for property damage and any resultant business interruption, but there would not be any cover for the cost of items such as data restoration, an IT forensic expert or PR expenses. These type of losses are also unlikely to be covered on other general liability policies.

In addition to this, even if certain cyber risks are expressly included within liability or property policies, some of the definitions in these policies are narrowly drafted and may not be appropriate to cover exactly what has happened in a typical cyber incident scenario. A cyber risk policy, which is specifically designed to cover these types of risks, is more likely to cover what you need it to do.

Another danger to be aware of is that a claim arising out of a cyber incident can significantly erode the limit of indemnity available for other risks covered by a liability policy, leaving a business out of pocket. It also may unduly impact the renewal of essential and sometimes mandatory insurances, such as professional indemnity insurance for certain professionals.

Do cyber policies actually pay out?

Yes, they most certainly do. Now could well be an excellent time to purchase one, as the cyber insurance market has been a very favourable environment for buyers in 2024. Increased market capacity has resulted in substantial improvements in rates and pricing, and insurers are more willing to supply quotes based upon less comprehensive underwriting information than in previous years. The exception to this trend will likely be where a company's cyber controls are considered to be insufficient by insurers, or if there has been previous claims activity in the cyber sphere.

Next steps: Is my business fully protected with the right cyber insurance?

As cyber risks continue to evolve, having the right insurance coverage in place is not just a precaution—it's a strategic necessity. Cyber insurance offers invaluable protection and helps to manage the reputational fallout of a breach. While no policy can prevent an attack, the right cyber insurance policy can be a lifeline in navigating the aftermath and getting back on track. Our Privacy & Cyber Security team is on hand to offer you guidance and support with navigating your cyber insurance needs. If you have any questions surrounding the points raised in this article, reach out to Amber Strickland or Susannah Fink.