What Is Cyber Crime Insurance & Why Do I Need It?
If you ever thought “cyber crime” was just something large corporations had to worry about – think again.
Between 2012 and 2013, 87% of small businesses are reported to have had some form of “data breach”, whether from their own systems or through a third party service used in the course of their business (Department for Business Innovation & Skills 2013 Information Security Breaches Survey).
Here we look to answer the questions; what is cyber crime, what is different about cyber insurance and why do you need it?
The term “cyber crime” can be a little misleading in that it is mainly associated with the hacking of computer systems. Where in reality not only can it be such an attack but, equally, could be the theft of a laptop or smartphone on which sensitive data is stored or simply the loss of or access to data from your IT systems.
When it comes to the insurance requirements for cyber and data loss risks they are separated into two distinct types; firstly, the loss or damage you incur and, secondly, the losses others incur as well as any breaches of data regulations.
Loss or Damage You Suffer
These include what you would recognise as your traditional risk, i.e. physical loss of or damage to your systems such as fire, flood, theft, etc. Some of the more recent types of risk such as Denial of Service attacks and Viral Extortion would also be classed as loss or damage you suffer.
The costs for such losses can easily mount up as they do not just include an amount for a physical loss. When thinking about your insurance requirements you should also consider some of the following potential costs:
- Data recovery – The process or restoring “damaged” or “lost” data.
- Forensic data investigation – This is something you may need to identify how the loss occurred and the weakness(es) in your systems that allowed it to happen. It may also be needed to establish the full extent of the loss, i.e. experts will be able to take a detailed look at logs and other information on or connected to your systems that will identify fully what data has been “lost”, over what period and by which methods.
- Hardware and network replacement – If your network has been compromised or damaged in any way you may need to replace it with more reliable systems which could incur a significant cost.
- Business interruption and loss of profits – Your standard business interruption policy is unlikely to respond to a distributed Denial of Service attack.
- Crisis management or public relations support – The last thing you want is for your customers to find out about a loss through the media or, if and when the media do get wind of it, not to be prepared. You are therefore likely to incur costs for professionals in crisis management and PR to assist you.
- Data subject notification – In the event of the loss of personal data such as names, addresses, dates of birth and passwords the Information Commissioner’s Office may require you to write to each affected individual to inform them of the loss and to provide appropriate advice.
- Credit/identity theft monitoring for those whose data has been lost or exposed – You may be required to purchase an ongoing service for each affected person that will monitor their credit rating and other sources, for activity involving their identity, in an attempt to spot any unexpected or unusual activity and alert them to a possible misuse of their personal information.
Losses to Others & Regulatory Data Breaches
These types of risks include:
- Liability for your network security – Enabling of malware to travel through your network into other peoples or organisations systems or the “hijacking” of your network for use in Distributed Denial of Service or similar attacks on other people’s computers or systems.
- Loss of, accidental or negligent transmission of general or sensitive personal data breaching data protection regulations.
- Extortion including ransom demands related to threat of revealing sensitive data or threat of Denial of Service/Distributed Denial of Service attacks, etc.
- Regulatory costs – The Information Commissioner’s Office has the power to impose fines of up to £500,000 for a breach of regulations. It is generally the case that fines cannot be covered by insurance (since it reduces their impact as a punishment) but in some circumstances there can be cover for civil penalties. It is a complex area but a good cyber liability policy will provide cover where this is permitted by law.
It should be noted that the European Commission plans to regulate data protection within the European Union with a single law, the General Data Protection Regulation. This new law, as currently drafted, will enable fines of up to 5% of worldwide turnover or €100 million, whichever is greater. The new regulation is expected to be adopted in late 2014 with a two year transition period to enforcement in 2016.
- Defence costs – Should an investigation by the Information Commissioner’s Office result in a formal prosecution case you are likely to incur further considerable expense in defending the case through the courts.
There is also the potential for the receipt of compensation claims to be considered for breach of privacy. With the recent high profile “phone hacking” case, the public are much more alert to what a breach of their privacy entails.
If your business is found to have committed a regulatory data breach you may find yourself on the other end of either a significant number of actions or a class action claim for compensation as a result. You only need to imagine it happening to you, as a private individual, to realise the potential for such actions.
You may believe that many of these risks would be covered by your existing public liability, business interruption or Directors & Officers insurance covers. Unfortunately, this is simply not the case.
Take for example your business interruption cover. Although it is possible to include extensions under your business interruption policy such as breakdown cover, in many cases the technology storing data that is subject to attack i.e. a Denial of Service or Distributed Denial of Service attack, whilst it may stop working to full capacity for a period, it will not be seen to have “broken down” and thus not be eligible for a claim under such an extension.
This is just one of many examples where your traditional insurance policy was simply not designed to respond to today’s cyber crime risks and where ideally a cyber crime insurance policy would be needed to provide the relevant protection.
We have recently published a guide to Understanding Cyber Crime & Data Loss Risks which goes into more detail of why these types of insurance do not provide suitable cover for such risks.
If you would like to learn more about what is cyber crime insurance and how it can help protect your business simply click the button below.