Telephone 01253 594211
Posted in: Business Insurance
By Rowlands & Hames - 30 September 2014
The increasing frequency and severity of cyber attacks and their impact on business can no longer be ignored. But insuring against exposures from a security breach requires more than an extension to a traditional property or liability policy.
More money is said to be made from cyber crime than the illicit drugs trade. Personal information, credit card details and project plans held on computer networks are virtual gold bars for cyber criminals. Research from both sides of the Atlantic shows the number of attacks is rapidly rising.
A cyber incident is likely to be expensive and damaging. Business may have to come to a halt while the company traces and repairs the weakness in its ‘network. The 2011 Cost of Cyber Crime Study of 50 companies by the US Ponemon Institute found each suffered more than one successful attack each week of varying severity in 2010. The average time to resolve an external cyber attack was 18 days, and average cost was $416,000.
But repairing the damage from cyber attacks can take much longer, and cost much more. Sony took about 40 days to restore fully its PlayStation and other entertainment systems after discovering it had been hacked earlier this year. The US-based Heartland Payment Systems, which processes credit card payments, revealed that a security breach cost the company $114.9 million after insurance recoveries.
“It isn’t easy to say what the impact on the business will be following a major event,” says Simon Milner, a Partner within JLT Specialty’s Financial Risks division. “The company is almost certainly going to lose money for one quarter and probably two.”
Surveys from the UK and the US indicate that most businesses suffer security incidents. Glyn Thoms, an Associate within JLT Specialty’s Financial Risks division, points out that companies that do not do business direct with the public still hold sensitive personal details on their employees. Neil Hare-Brown, CEO of QCC Information Security, notes that B2C company executives and sales people frequently use company credit cards, which can be vulnerable to cyber attack.
Coverage offered by dedicated policies includes:
Traditional business insurance policies were designed long before the arrival of the internet. Even with a cyber risks extension, they will not cover all the exposures a business will face from a security breach, says Chris Newton, Managing Director of Principia Underwriting. Notifying customers is just one of many costs – the company will need expert advice to restore the damage and manage the impact, and sales may cease while systems are under repair. “There are a number of trigger points, not least of which is the lost income,” Newton adds.
Milner says that the market for cyber risks insurance is maturing, and today, there are stand alone cyber insurance products with modular structures, so that it is possible to select which covers to buy.
Policies are now available for smaller and medium-sized business that will wrap around their existing property and third party insurance programmes. This is a first party cover that includes the cost of forensic technical and legal advice and compliance with credit card issuer requirements.
Businesses seeking protection from cyber crime must consider their exposure carefully, choosing insurance cover that meets their needs. What is the waiting period on the business interruption before coverage will apply? Forty-eight hours, even 36 hours? This should be six or eight hours, and at worst ten or twelve. Business interruption insurance can offer a 12-month indemnity rather than just loss of revenue while your network is temporarily unavailable.
Attacks by insiders are less frequent but tend to take much longer to repair so companies should consider taking out insurance that specifically covers the acts of employees and sub-contractors.
While not all companies are yet legally required to notify customers of compromised data (although EU legislation is set to change this) companies often want to voluntarily notify their customers to limit reputational damage. Voluntary notification coverage can help. Credit file monitoring cover will also help restore your customers’ trust if they have fallen victim to credit card fraud or other crime because of a breach in your systems.
Lastly, with the services of experts needed to undertake a forensic investigation perhaps the most significant expense, it is worth considering covering this cost with insurance. Legal costs including the means to defend a privacy breach action brought by regulators can also be covered; significantly reducing the risk of major outlays should the worst happen.
For more information, please see our dedicated Cyber page by visiting http://www.rowlands-hames.co.uk/cyber-and-internet
Rowlands & Hames would like to thank Lee Coppack and JLT Group for the use of this article.
Tagged with: Cyber