The Business Insurance Bureau

Cyber and Commercial Crime

"A ransom email, no access to anything and my clients need help...now what?"

Introduction

We have grouped these two distinct insurance products together Cybercrime & Commercial Crime as they are closely aligned.

Whereas ‘cyber’ crime policies are mostly to do with the consequences of a cyber attack from a technology viewpoint, ‘commercial’ crime deals with the wider subject of the consequences of all manner of fraud, both cyber fraud and other terms of fraud, like impersonation or identity fraud quite often emanating from the same underlying cause – the theft of data.

In an ever-changing digital landscape both at home and at work, we now need to cover all avenues where possible to protect our assets and minimise our liabilities. 

A lot of people don’t think they need cyber cover because they aren’t sitting at a desk 9-5, but that would be a mistake. If you run a business and have client records on a device, then you need cover. Any device that could be attacked or intercepted is vulnerable, and means that you are walking around with a risk in your hand every single day. 

Getting cover can be quite complex depending on the type of business you run and risks you have, so it’s wise to look into this kind of cover early on to give you and your broker enough time to help you meet the criteria. 

 

Recent Important Changes

The UK Government views cyber attacks as a highest level risk to national security, alongside terrorism threats.  As such it has introduced a number of changes to help prevent cyber attacks, including:

Cyber Essentials a basic cyber security hygiene standard to help organisations protect themselves against common cyber attacks, a National Cyber Crime Unit within the National Crime Agency

Cyber Information Sharing Partnership to allow Government and industry to exchange information on cyber threats a single reporting system for people to report financially motivated cyber crime through Action Fraud, a UK National Computer Emergency Response Team (CERT) to improve national co-ordination of cyber incidents

A new Cyber Incident Response scheme in GCHQ to help organisations recover from a cyber security attack

A network of Centres of Excellence for Cyber Security Research within UK universities in 2013, to help provide reliable and up to date research and academic prowess. 

It is important to understand the support you receive as part of the cover. Some policies provide a point of contact who will handle everything from the moment the insurer has agreed the claim, whereas others will let you manage the incident and decide which services you want to use from their list of suppliers.

Remember that your organisation may not have the people or experience to manage a data breach incident so third-party suppliers can often be a better route to take.

Frequently Asked Questions

If you can answer yes to any of these questions then the answer is yes, you need the cover. 

  • Do you hold sensitive customer details such as names and addresses or banking information;
  • Do you rely heavily on IT systems and websites to conduct their business;
  • Do you process payment card information as a matter of course?

Policies are generally available for SMEs with cover limits between £100k and £5 million, although significantly higher amounts of cover are available for firms facing more complex cyber risks.

You can choose from different levels of cover to ensure you get the right protection for your business. When working out the amount of cover you need, you should consider:

  • the amount and type of confidential, personal or sensitive data you hold
  • the size of your business
  • your dependence on computer systemS
 

As well as putting adequate insurance in place, it is important for you to manage your own cyber risks as a business. This includes:

  • Evaluating first and third party risks associated with the IT systems and networks in your business
  • Assessing the potential events that could cause first or third party risks to materialise. 
  • Analysing the controls that are currently in place and whether they need further improvement.
  • Making sure all staff are trained regularly on how to keep data safe. 
  • Keep up with any legal changes that might invalidate any of your previous training/compliance. 

Let's make it cheaper, by doing it right

What's Covered?

Typical Cyber Attack Cover

Data leaks and data losses can lead to regulatory fines and PR nightmares, shut down servers and loss of both confidence and future profits. Most

Insurers strive for an ‘end to end’ approach; diagnosing the issue, fixing it and getting the business back on track and preventing ‘the domino effect’.

24/7 Incident Response

Access to assurance experts

Legal advice

IT forensic expertise

Public relations advice

Crisis Management and breach coaching

Data Protection

Insurable Data Protection fines, defence costs from regulators.

Loss of Electronic Data

Notification costs, identity and credit monitoring costs, data restoration costs.

Data Liability

The financial consequences of losing or miss-appropriating customer or employee data.

Cyber Extortion

Loss of Gross Profit during the indemnity period following a cyber event.

Cyber Business Interruption

Warranties & Conditions Precedent to Liability Please see your policy schedule, check your policy wordings.

Sums Insured

Should be adequate or more than adequate to deal with the consequences of any one of the above.

Policy Excess

In the case of business interruption there would an excess up to perhaps 12 hours. Otherwise the policy excess will vary depending on the size of the organisations turnover and exposure.

Optional Cover's

Loss of net profit as a result of a material interruption to the insured’s

Network, caused by a security breach.

Ransom payments (extortion loss) to third parties incurred in terminating a security threat.

Damages and defence costs incurred in connection with a breach of third party intellectual property, or negligence in connection with electronic content.

Provides ‘All risks’ cover for theft by employees and third parties, whether there is collusion or not. There is no distinction between the different types of fraud that third parties may commit.

Extensions: these normally have an inner limit or maximum sum insured, often as high as £250,000.00.

Cover for a client’s loss caused by the Insured’s employees is fully covered. Also covers theft from the client by a third party when the Insured has custody and control of the client’s money, securities, property or funds.

If a crime stops the Insured from carrying on, its business pays for the costs of temporary premises or temporary additional staff.

The Insured may be contractually penalised if a crime interferes with their performance under a contract, cover pays for such penalties.

When the Insured’s employees are required to attend court or a conference with a barrister or solicitor as the result of a covered crime, the policyholder is compensated for their time.

Cover the cost of replacing destroyed or damaged money and securities belonging to the Insured due to criminal acts

The financial loss the Insured will suffer as the result of a crime will not be the only cost incurred. They will need to prove the amount of loss and may have suffered data damage to safes and vaults, lost interest payments or incurred legal defence costs. Cover provides an additional limit at no extra cost.

If the Insured’s identity is stolen or altered, the cost of rectifying the situation including defending the Insured against allegations on the grounds of such identity theft is covered.

As well as covering the costs of reconstituting data as the result of a crime, cover provides compensation where there is no intent to steal but rather to maliciously alter, delete or corrupt data. Cover is not restricted to data held solely in computer systems.

A company can suffer adverse publicity following a crime, covers the costs of expert advice to minimise its impact.

If the Insured can reduce or eliminate the loss that may result from a crime we will pick up the costs they incur in doing so.

As with telecommunications fraud, covers unauthorised charges even though no money, securities, property or funds have been stolen from the Insured thereby removing any ambiguity as to cover.

When charges are racked up fraudulently by unauthorised users, cover provides a sub-limit for such eventualities

Let's make it cheaper, by doing it right

Making the small print...BIG

A Fair Presentation of the Risk
At the heart of insurance contracts is an obvious truth: you have an enormous advantage over the insurer. You know all about your business, its history, processes, people and management, but the insurer knows nothing – other than what you tell them.

Your Duties
You have a statutory duty to make a fair presentation of the risk. You must tell the insurer:
• Every material circumstance which you know or ought to know and/or
• Sufficient information that would cause the insurer to make further enquiries, if neccessary, to review those material circumstances

Your Knowledge
• You are deemed to have the knowledge of the company’s senior management.
• You are deemed to have the knowledge of the person arranging the insurance (who is deemed to be a senior manager under statute).
• Anything that can be discovered by a reasonable search.

A failure to make a fair presentation of the risk gives the insurer various remedies, depending upon the nature of the failure, from avoiding the contract and not paying claims to modifying the basis of settlement. 

Examples of Misrepresentation
It is often easier to demonstrate the consequences of risk presentation failure by example rather than theory. Here are some real life examples of typically forgotten or unrevealed material facts which later caused huge problems and repudiated claims:

Fire

Theft

Water

Liability

Motor

General

A reprocessing plant did not reveal a series of small fires during their insurance year.

Following repeated false alarms, a retailer didn’t reveal that Police Response had been withdrawn.

A restaurant omitted to reveal repeated minor floods from an upstairs nightclub.

A construction company didn’t reveal potential employee claims recorded in their accident book.

A company failed to reveal written warnings to an employee over repeated dangerous driving.

A company failed to reveal that it had been ‘struck off’ by Companies House and was trading as a new legal entity under a different designation.

Compiling the Risk Presentation: an ongoing process

The compilation of risk information for presentation to an insurer might be thought to be simply contained in a proposal or risk presentation form, however, such forms are not exhaustive and cannot take account of circumstances which change beyond their
compilation. Moreover, merely referring insurers to your website or dumping data is not making a fair presentation of the risk. ’Fairness’ is a subjective test but it would certainly involve simplicity, clarity and relevant selection.

Ongoing communication is vital, because the duty to disclose material circumstances is ongoing throughout the insurance year and at renewal of the insurances.

It’s important…

It is not possible to overstate the importance of researched, adequate risk presentation – there have been countless legal disputes, repudiated claims, ruined businesses and lives arising from the simple failure to reveal all the facts to an insurer. A failure to present risk adequately is a bigger risk than the risk you present.

It doesn’t matter that the failure is innocent, something overlooked, forgotten or discounted as unimportant – it might be important to the insurer, in which case it must be revealed.

Should there be anything not yet disclosed, or that you are unsure would influence your insurers about this insurance tell your broker/insurer immediately. 

Don't take our word for it, here's what our client say...

Previous
Next

Working With Us

  • Services
  • Payment Terms
  • Confidentiality & Security
  • Claims
  • Cancellation Rights
  • Duration & Termination

The Business Insurance Bureau conducts both client and market research to identify solutions to the needs of an almost exclusively business clientele. We will make a recommendation once we have assessed your demands and needs.

All premiums due to insurers must normally be paid by you on or before the date that cover commences. Where alternative methods of payment are available these will be discussed with you so that arrangements can be put in place by the due date.

We are registered with the Data Protection Registrar. We will ensure that any information obtained from you is treated by us and anyone else involved in arranging, considering to arrange or managing your insurance, as Strictly Private and Confidential. We will not provide your information to anyone else unless we:
have your permission to do so, or -are required to by the FCA, or -are required to do so by law, or -are required to do so in the normal course of arranging or negotiating and maintaining, or renewing financial services products which we may from time to time approve.We take appropriate steps to ensure the security of any money, documents, other property or information handled or held on your behalf.

All information in any form, with the exception of policy documents and certificates issued on behalf of insurers and supplied by us, to you, should be treated as Strictly Private and Confidential and not be released directly or indirectly to any other party, without our explicit consent.

Note: in transacting your insurances with The Business Insurance Bureau, you are deemed to have accepted our Terms of Business. Your accepting of these Terms of Business does not affect your statutory rights.

You must notify us as soon as possible of a claim and circumstances which may give rise to a claim. In the event of a claim you should contact this office and we will promptly advise you and if appropriate, issue you with a claim form and pass all details to your insurer. You should not admit liability or agree to any course of action, other than emergency measures carried out to minimise the loss, until you have an agreement from your insurer. We will remit claims payments to you as soon as possible after they have been received on your behalf. In the event that an insurer becomes insolvent or delays making settlement we do not accept liability for any unpaid amounts.

You would have the right to cancel a policy within 14 days of its inception or upon receipt of the policy documentation whichever is the later. You would as a Consumer and without providing a reason, cancel the policy by confirming this is in writing to the address of our office through which your policy was placed. Any policy documentation and in particular any legal document, i.e. Certificate of Motor Insurance, Employers Liability Certificate, MUST be returned with your instruction to cancel. By exercising your right to cancel the policy, you are withdrawing from the contract of insurance.

Our services may be terminated without cause or penalty by giving one months’ notice in writing. In the event that our services are terminated by you other than at the expiry of the policy we will be entitled to retain any fees and all of the brokerage payable. The responsibility for handling claims reported after the date of termination shall in the absence of an express agreement be the responsibility of the party taking over the role.

Let's make it cheaper, by doing it right