Cyber and Commercial Crime
"A ransom email, no access to anything and my clients need help...now what?"
We have grouped these two distinct insurance products together Cybercrime & Commercial Crime as they are closely aligned.
Whereas ‘cyber’ crime policies are mostly to do with the consequences of a cyber attack from a technology viewpoint, ‘commercial’ crime deals with the wider subject of the consequences of all manner of fraud, both cyber fraud and other terms of fraud, like impersonation or identity fraud quite often emanating from the same underlying cause – the theft of data.
In an ever-changing digital landscape both at home and at work, we now need to cover all avenues where possible to protect our assets and minimise our liabilities.
A lot of people don’t think they need cyber cover because they aren’t sitting at a desk 9-5, but that would be a mistake. If you run a business and have client records on a device, then you need cover. Any device that could be attacked or intercepted is vulnerable, and means that you are walking around with a risk in your hand every single day.
Getting cover can be quite complex depending on the type of business you run and risks you have, so it’s wise to look into this kind of cover early on to give you and your broker enough time to help you meet the criteria.
Recent Important Changes
The UK Government views cyber attacks as a highest level risk to national security, alongside terrorism threats. As such it has introduced a number of changes to help prevent cyber attacks, including:
Cyber Essentials a basic cyber security hygiene standard to help organisations protect themselves against common cyber attacks, a National Cyber Crime Unit within the National Crime Agency
Cyber Information Sharing Partnership to allow Government and industry to exchange information on cyber threats a single reporting system for people to report financially motivated cyber crime through Action Fraud, a UK National Computer Emergency Response Team (CERT) to improve national co-ordination of cyber incidents
A new Cyber Incident Response scheme in GCHQ to help organisations recover from a cyber security attack
A network of Centres of Excellence for Cyber Security Research within UK universities in 2013, to help provide reliable and up to date research and academic prowess.
It is important to understand the support you receive as part of the cover. Some policies provide a point of contact who will handle everything from the moment the insurer has agreed the claim, whereas others will let you manage the incident and decide which services you want to use from their list of suppliers.
Remember that your organisation may not have the people or experience to manage a data breach incident so third-party suppliers can often be a better route to take.
Typical Cyber Attack Cover
Data leaks and data losses can lead to regulatory fines and PR nightmares, shut down servers and loss of both confidence and future profits. Most
Insurers strive for an ‘end to end’ approach; diagnosing the issue, fixing it and getting the business back on track and preventing ‘the domino effect’.
24/7 Incident Response
Access to assurance experts
IT forensic expertise
Public relations advice
Crisis Management and breach coaching
Insurable Data Protection fines, defence costs from regulators.
Loss of Electronic Data
Notification costs, identity and credit monitoring costs, data restoration costs.
The financial consequences of losing or miss-appropriating customer or employee data.
Loss of Gross Profit during the indemnity period following a cyber event.
Cyber Business Interruption
Warranties & Conditions Precedent to Liability Please see your policy schedule, check your policy wordings.
Should be adequate or more than adequate to deal with the consequences of any one of the above.
In the case of business interruption there would an excess up to perhaps 12 hours. Otherwise the policy excess will vary depending on the size of the organisations turnover and exposure.
Let's make it cheaper, by doing it right
Frequently Asked Questions
A cyber attack is when an entity outside of your organisation infiltrates your business’s private network to shut down and steal your information, stop production in some way or cause some kind of reputational damage to the business. The desired outcome is to cause disruption and most commonly to hold the company to ransom.
If you can answer yes to any of these questions then the answer is yes, you need the cover.
- Do you hold sensitive customer details such as names and addresses or banking information;
- Do you rely heavily on IT systems and websites to conduct their business;
- Do you process payment card information as a matter of course?
Policies are generally available for SMEs with cover limits between £100k and £5 million, although significantly higher amounts of cover are available for firms facing more complex cyber risks.
You can choose from different levels of cover to ensure you get the right protection for your business. When working out the amount of cover you need, you should consider:
- the amount and type of confidential, personal or sensitive data you hold
- the size of your business
- your dependence on computer systems
As well as putting adequate insurance in place, it is important for you to manage your own cyber risks as a business. This includes:
- Evaluating first and third party risks associated with the IT systems and networks in your business
- Assessing the potential events that could cause first or third party risks to materialise.
- Analysing the controls that are currently in place and whether they need further improvement.
- Making sure all staff are trained regularly on how to keep data safe.
- Keep up with any legal changes that might invalidate any of your previous training/compliance.
The most common attack is a breach of your customer data base to sell on the dark web or to scam directly. The average cost per record is £113 for a cyber breach, e.g. 1000 customer records = £113,000.00. Depending on the size of your client base, the outcome of this would most likely be much higher than the cost of insuring for cyber.
Loss of net profit as a result of a material interruption to the insured’s
Network, caused by a security breach.
Ransom payments (extortion loss) to third parties incurred in terminating a security threat.
Damages and defence costs incurred in connection with a breach of third party intellectual property, or negligence in connection with electronic content.
Provides ‘All risks’ cover for theft by employees and third parties, whether there is collusion or not. There is no distinction between the different types of fraud that third parties may commit.
Extensions: these normally have an inner limit or maximum sum insured, often as high as £250,000.00.
Cover for a client’s loss caused by the Insured’s employees is fully covered. Also covers theft from the client by a third party when the Insured has custody and control of the client’s money, securities, property or funds.
If a crime stops the Insured from carrying on, its business pays for the costs of temporary premises or temporary additional staff.
The Insured may be contractually penalised if a crime interferes with their performance under a contract, cover pays for such penalties.
When the Insured’s employees are required to attend court or a conference with a barrister or solicitor as the result of a covered crime, the policyholder is compensated for their time.
Cover the cost of replacing destroyed or damaged money and securities belonging to the Insured due to criminal acts
The financial loss the Insured will suffer as the result of a crime will not be the only cost incurred. They will need to prove the amount of loss and may have suffered data damage to safes and vaults, lost interest payments or incurred legal defence costs. Cover provides an additional limit at no extra cost.
If the Insured’s identity is stolen or altered, the cost of rectifying the situation including defending the Insured against allegations on the grounds of such identity theft is covered.
As well as covering the costs of reconstituting data as the result of a crime, cover provides compensation where there is no intent to steal but rather to maliciously alter, delete or corrupt data. Cover is not restricted to data held solely in computer systems.
A company can suffer adverse publicity following a crime, covers the costs of expert advice to minimise its impact.
If the Insured can reduce or eliminate the loss that may result from a crime we will pick up the costs they incur in doing so.
As with telecommunications fraud, covers unauthorised charges even though no money, securities, property or funds have been stolen from the Insured thereby removing any ambiguity as to cover.
When charges are racked up fraudulently by unauthorised users, cover provides a sub-limit for such eventualities
"When the water came up to our knees we realised we might be a problem..."
"It's not about who pays who, it's about who told you to do that..."
"It wasn't until everyone was running past me that I realised what was going on..."
Let's make it cheaper, by doing it right
Don't take our word for it, here's what our client say...
Making the small print...BIG
A Fair Presentation of the Risk
At the heart of insurance contracts is an obvious truth: you have an enormous advantage over the insurer. You know all about your business, its history, processes, people and management, but the insurer knows nothing – other than what you tell them.
You have a statutory duty to make a fair presentation of the risk. You must tell the insurer:
• Every material circumstance which you know or ought to know and/or
• Sufficient information that would cause the insurer to make further enquiries, if neccessary, to review those material circumstances
• You are deemed to have the knowledge of the company’s senior management.
• You are deemed to have the knowledge of the person arranging the insurance (who is deemed to be a senior manager under statute).
• Anything that can be discovered by a reasonable search.
A failure to make a fair presentation of the risk gives the insurer various remedies, depending upon the nature of the failure, from avoiding the contract and not paying claims to modifying the basis of settlement.
Examples of Misrepresentation
It is often easier to demonstrate the consequences of risk presentation failure by example rather than theory. Here are some real life examples of typically forgotten or unrevealed material facts which later caused huge problems and repudiated claims:
A reprocessing plant did not reveal a series of small fires during their insurance year.
Following repeated false alarms, a retailer didn’t reveal that Police Response had been withdrawn.
A restaurant omitted to reveal repeated minor floods from an upstairs nightclub.
A construction company didn’t reveal potential employee claims recorded in their accident book.
A company failed to reveal written warnings to an employee over repeated dangerous driving.
A company failed to reveal that it had been ‘struck off’ by Companies House and was trading as a new legal entity under a different designation.
Compiling the Risk Presentation: an ongoing process The compilation of risk information for presentation to an insurer might be thought to be simply contained in a proposal or risk presentation form, however, such forms are not exhaustive and cannot take account of circumstances which change beyond their compilation. Moreover, merely referring insurers to your website or dumping data is not making a fair presentation of the risk. ’Fairness’ is a subjective test but it would certainly involve simplicity, clarity and relevant selection. Ongoing communication is vital, because the duty to disclose material circumstances is ongoing throughout the insurance year and at renewal of the insurances. It’s important… It is not possible to overstate the importance of researched, adequate risk presentation – there have been countless legal disputes, repudiated claims, ruined businesses and lives arising from the simple failure to reveal all the facts to an insurer. A failure to present risk adequately is a bigger risk than the risk you present. It doesn’t matter that the failure is innocent, something overlooked, forgotten or discounted as unimportant – it might be important to the insurer, in which case it must be revealed. Should there be anything not yet disclosed, or that you are unsure would influence your insurers about this insurance tell your broker/insurer immediately.
Let's make it cheaper, by doing it right
Roll up, roll up! Read all about it...
The Business Insurance Bureau is famous for it’s simplification of the complex world of insurance. With corporate jargon galore, we believe that in order to run your business with peace of mind, you need simplistic and entertaining material when it comes the ‘boring but important’ things like business insurance. In order to help you along the way we have created many colourful and cheery leaflets to help you understand what risks your business can face and how we can help you reduce them.
Recent feedback on our Extra Mile Claims Service for COVID-19
Who are The Business Insurance Bureau?
The Business Insurance Bureau is a niche specialist underwriter and commercial insurance broker, defying conventional categorisation, comprising of a small number of gifted individuals forming a collective intellectual giant.
We have developed our own unique range of quality insurance products, which has given the business a competitive advantage in several areas. Being in control of the entire process, from enquiry to policy issue, has allowed our business to deliver service levels hitherto unimaginable in this sector, or indeed for a business of its physical size.
We insure a spectacularly diverse clientele, similarly exclusive and excellent in their field, who rely on The Business Insurance Bureau to protect their assets, minimise their liabilities and secure their future.