Data leaks and data losses can lead to regulatory fines and PR nightmares, shut down servers and loss of both confidence and future profits.
Most Insurers strive for an ‘end to end’ approach; diagnosing the issue, fixing it and getting the business back on track and preventing ‘the domino effect’.
We have grouped these two distinct insurance products together Cybercrime & Commercial Crime as they are closely aligned.
Whereas ‘cyber’ crime policies are mostly to do with the consequences of a cyber attack from a technology viewpoint, ‘commercial’ crime deals with the wider subject of the consequences of all manner of fraud, both cyber fraud and other terms of fraud, like impersonation or identity fraud quite often emanating from the same underlying cause – the theft of data.
Frequently Asked Questions
Do I need it?
hold sensitive customer details such as names and addresses or banking information;
rely heavily on IT systems and websites to conduct their business;
process payment card information as a matter of course.
Policies are generally available for SMEs with cover limits between £100k and £5 million, although significantly higher amounts of cover are available for firms facing more complex cyber risks.
Find the right level of cover for your business
You can choose from different levels of cover to ensure you get the right protection for your business. When working out the amount of cover you need, you should consider:
the amount and type of confidential, personal or sensitive data you hold
the size of your business
your dependence on computer systems.
Managing cyber risks
As well as putting adequate insurance in place, it is important for you to manage your own cyber risks as a business. This includes:
Evaluating first and third party risks associated with the IT systems and networks in your business
Assessing the potential events that could cause first or third party risks to materialise
Analysing the controls that are currently in place and whether they need further improvement
UK and European action to tackle cyber risks
The UK Government views cyber attacks as a highest level risk to national security, alongside terrorism threats. As such it has introduced a number of changes to help prevent cyber attacks, including:
Cyber Essentials a basic cyber security hygiene standard to help organisations protect themselves against common cyber attacks, a National Cyber Crime Unit within the National Crime Agency
Cyber Information Sharing Partnership to allow Government and industry to exchange information on cyber threats a single reporting system for people to report financially motivated cyber crime through Action Fraud, a UK National Computer Emergency Response Team (CERT) to improve national co-ordination of cyber incidents
A new Cyber Incident Response scheme in GCHQ to help organisations recover from a cyber security attack
A network of Centres of Excellence for Cyber Security Research within UK universities in 2013, to help provide reliable and up to date research and academic prowess.
It is important to understand the support you receive as part of the cover. Some policies provide a point of contact who will handle everything from the moment the insurer has agreed the claim, whereas others will let you manage the incident and decide which services you want to use from their list of suppliers.
Remember that your organisation may not have the people or experience to manage a data breach incident so third-party suppliers can often be a better route to take.
Beyond the basics
All policies have a set of exclusions, terms and definitions. Understanding these is important, so here are some additional questions to consider:
What security controls can you put into place that will reduce the premium?
Will you have to undertake a security risk review of some sort?
What is expected of you to reduce or limit the risks?
Will you get a reduction for each year you do not claim?
What assistance is provided to improve information governance and information security?
What and how big a difference to your future premiums will a claim make?
What support if any will be provided to assist in making the right security decisions for the industry / business you are in?
The security / protection industry is very fast changing, how can the insurance ensure that your policy is current?
Do all portable media/computing devices need to be encrypted?
What about unencrypted media in the care or control of your third-party processors?
Are malicious acts by employees covered?
Will you have to provide evidence of compliance to existing Data Protection Principles, in relation to your actual processing, to prove you were not acting disproportionately?
Although ignorance of the law is no excuse, we are just not able to keep up with all the compliance issues that may affect all the territories our company works in, would you refuse a claim if you were processing data that may contravene laws in one country but not another – because insurance policies often stipulate that you must not be breaking the law?
What if there is uncertainty around whether the incident took place a day before the cover was in place or on the day?
Are the limits for expenses grouped together in a way that the maximum limit that is covered is likely to be achieved very quickly, unless you increase the cover?
Are all and any court attendances to defend claims from others covered?
Could you claim if you were not able to detect an intrusion until several months or years have elapsed, so you are outside the period of the cover, (as with the Red October malware which was discovered after about five years)?
Request a Call From an Experienced Broker
Typical Cyber Attack Cover
Data leaks and data losses can lead to regulatory fines and PR nightmares, shut down servers and loss of both confidence and future profits. Most
Insurers strive for an ‘end to end’ approach; diagnosing the issue, fixing it and getting the business back on track and preventing ‘the domino effect’.
24/7 Incident Response
Access to assurance experts
IT forensic expertise
Public relations advice
Crisis Management and breach coaching
Insurable Data Protection fines, defence costs from regulators.
Loss of Electronic Data
Notification costs, identity and credit monitoring costs, data restoration costs.
The financial consequences of losing or miss-appropriating customer or employee data.
Loss of Gross Profit during the indemnity period following a cyber event.
Cyber Business Interruption
Warranties & Conditions Precedent to Liability Please see your policy schedule, check your policy wordings.
Should be adequate or more than adequate to deal with the consequences of any one of the above.
In the case of business interruption there would an excess up to perhaps 12 hours. Otherwise the policy excess will vary depending on the size of the organisations turnover and exposure.
Optional Network Interruption
Loss of net profit as a result of a material interruption to the insured’s
Network, caused by a security breach.
Optional Cyber/Privacy extortion
Ransom payments (extortion loss) to third parties incurred in terminating a security threat.
Optional Digital Media Liability
Damages and defence costs incurred in connection with a breach of third party intellectual property, or negligence in connection with electronic content.
Provides ‘All risks’ cover for theft by employees and third parties, whether there is collusion or not. There is no distinction between the different types of fraud that third parties may commit.
Extensions: these normally have an inner limit or maximum sum insured, often as high as £250,000.00.
Cover for a client’s loss caused by the Insured’s employees is fully covered. Also covers theft from the client by a third party when the Insured has custody and control of the client’s money, securities, property or funds.
If a crime stops the Insured from carrying on, its business pays for the costs of temporary premises or temporary additional staff.
The Insured may be contractually penalised if a crime interferes with their performance under a contract, cover pays for such penalties.
Court Compensation Costs
When the Insured’s employees are required to attend court or a conference with a barrister or solicitor as the result of a covered crime, the policyholder is compensated for their time.
Destruction or damage
Cover the cost of replacing destroyed or damaged money and securities belonging to the Insured due to criminal acts
The financial loss the Insured will suffer as the result of a crime will not be the only cost incurred. They will need to prove the amount of loss and may have suffered data damage to safes and vaults, lost interest payments or incurred legal defence costs. Cover provides an additional limit at no extra cost.
If the Insured’s identity is stolen or altered, the cost of rectifying the situation including defending the Insured against allegations on the grounds of such identity theft is covered.
Malicious Data Damage
As well as covering the costs of reconstituting data as the result of a crime, cover provides compensation where there is no intent to steal but rather to maliciously alter, delete or corrupt data. Cover is not restricted to data held solely in computer systems.
If the Insured can reduce or eliminate the loss that may result from a crime we will pick up the costs they incur in doing so.
Public Relations Consultancy Fees
A company can suffer adverse publicity following a crime, covers the costs of expert advice to minimise its impact.
Public Utilities Fraud
As with telecommunications fraud, covers unauthorised charges even though no money, securities, property or funds have been stolen from the Insured thereby removing any ambiguity as to cover.
When charges are racked up fraudulently by unauthorised users, cover provides a sub-limit for such eventualities
Working With Us
Which Services will we Provide you with
The Business Insurance Bureau conducts both client and market research to identify solutions to the needs of an almost exclusively business clientele. We will make a recommendation once we have assessed your demands and needs.
All premiums due to insurers must normally be paid by you on or before the date that cover commences. Where alternative methods of payment are available these will be discussed with you so that arrangements can be put in place by the due date.
Confidentiality & Security
We are registered with the Data Protection Registrar. We will ensure that any information obtained from you is treated by us and anyone else involved in arranging, considering to arrange or managing your insurance, as Strictly Private and Confidential. We will not provide your information to anyone else unless we:
have your permission to do so, or -are required to by the FCA, or -are required to do so by law, or -are required to do so in the normal course of arranging or negotiating and maintaining, or renewing financial services products which we may from time to time approve.We take appropriate steps to ensure the security of any money, documents, other property or information handled or held on your behalf.
All information in any form, with the exception of policy documents and certificates issued on behalf of insurers and supplied by us, to you, should be treated as Strictly Private and Confidential and not be released directly or indirectly to any other party, without our explicit consent.
Note: in transacting your insurances with The Business Insurance Bureau, you are deemed to have accepted our Terms of Business. Your accepting of these Terms of Business does not affect your statutory rights.
You must notify us as soon as possible of a claim and circumstances which may give rise to a claim. In the event of a claim you should contact this office and we will promptly advise you and if appropriate, issue you with a claim form and pass all details to your insurer. You should not admit liability or agree to any course of action, other than emergency measures carried out to minimise the loss, until you have an agreement from your insurer. We will remit claims payments to you as soon as possible after they have been received on your behalf. In the event that an insurer becomes insolvent or delays making settlement we do not accept liability for any unpaid amounts.
You would have the right to cancel a policy within 14 days of its inception or upon receipt of the policy documentation whichever is the later. You would as a Consumer and without providing a reason, cancel the policy by confirming this is in writing to the address of our office through which your policy was placed. Any policy documentation and in particular any legal document, i.e. Certificate of Motor Insurance, Employers Liability Certificate, MUST be returned with your instruction to cancel. By exercising your right to cancel the policy, you are withdrawing from the contract of insurance.
Duration & Termination
Our services may be terminated without cause or penalty by giving one months’ notice in writing. In the event that our services are terminated by you other than at the expiry of the policy we will be entitled to retain any fees and all of the brokerage payable. The responsibility for handling claims reported after the date of termination shall in the absence of an express agreement be the responsibility of the party taking over the role.