You are no doubt aware of the seriousness of a cyber-attack and the potential effects it can have on your business. You have also no doubt been bombarded by insurers and brokers with so much information about the insurance protection available that you may have been “blinded with science” by now.
So. What is the difference between Cyber Liability and Cyber-crime? What’s the difference between Crime and Cyber Crime? Where are client account thefts insured? Where are office account thefts insured? What protection do I actually want for my business and have I bought the right policy? Is insurance THE answer, or just AN answer? With so many potential solutions available, do you understand the differences between Cyber and Crime? Simply buying a “Cyber” policy may not be offering you the solution you think it is.
The threat of a cyber-attack on the business is very real and the risks ever increasing, with some studies showing companies are being attacked weekly. Malware, especially Ransomware attacks, are increasing as are “phishing” and social engineering attacks and information loss or theft is now the most expensive consequence of a cyber-crime with financial services and professions suffering the highest annualised costs associated with cyber losses.
So, what are some of the key areas you should consider when looking to protect the business from these threats? Are you worried about the impact on your business if you were to have your network access interrupted or to lose personal data? Or is the threat of more sophisticated means of fraud & theft resulting in the loss of money, securities and tangible assets that concerns you most? Hopefully, the following definitions will provide some clarity:
Is a reactive policy and will cover costs arising following a cyber-attack including damage to hardware and software, the resultant interruption suffered to the business, security / privacy liability and customer notification costs as a result of a system breach and the mitigation of any reputational damage that could arise. It doesn’t cover theft.
Will cover losses as a result of a cyber-attack including theft of the firm’s own money by employees or third parties, threats of extortion, telephone hacking and exposures from any “phishing” type scams.
However, Cyber Crime does not just relate to fraudulent transfer of funds or telephone hacking but also theft or alteration of data or systems, malware including ransomware attacks, web-based attacks, malicious code, denial or service and malicious employees.
Crime policies can not only address the shortfall of a Cyber Liability policy in relation to fraudulent transfer of funds or telephone hacking but will also protect your business against telephone scams, fraudulent invoicing, telecommunications and public utilities fraud, corporate identity theft and will also include theft by employees as well as third parties.
Many Cyber policies do not automatically include fraudulent transfer of funds or telephone hacking neither do they have the option to include this cover. Where it is included, it can be subject to low sub-limits so you need to check carefully that your policy provides the level of cover you need.
Crime Vs Cyber Crime
A Crime policy will cover theft by both employees and third parties but not following a cyber-attack. Cyber Crime policy will cover the same as the Crime policy but it will also cover losses incurred by a cyber-attack i.e. your system getting hacked / breached.
Professional Indemnity Insurance (PII)
Thefts from the client account are insured under your PII policy, although there is now a greater onus on you under The Insurance Act 2015 to ensure information provided to insurers is accurate which has most likely already been explained to you. You should also bear in mind what your maximum exposure is to a cyber-attack. Insurers will only pay out up to the sum insured so if your client (or office) account exceeds your insured indemnity limit, you may need to consider taking additional measures to restrict your exposure whether by managing the risk or insuring it.
However, your PII policy will not cover the costs associated with forensic investigation, damage to your systems and rectification, or the notification costs to your clients that a breach has occurred. A Cyber Liability policy will cover these costs.
Theft from the office account by staff may be covered to some degree under an extension within your current Office or Directors and Officers policy but you need to check this carefully because it is not a standard extension and not all insurers include it. No Third Party Theft from the office account is covered under the PII policy.
Nobody wants to go through the stress and uncertainty that a cyber-attack can bring and while an insurance policy may be able to offer some protection, it is not the only solution of course. There are other measures you can take to manage the cyber risk rather than just insuring it. There are various steps that can be taken but speak to your specialist IT providers about what additional protection they can provide in order to mitigate your exposures as much as possible.
In our view, improving your IT protection in conjunction with a suitable insurance solution should give you the best protection, but it could be a dual cost which you may consider unnecessary and you may prefer an “either/or” approach.
Whichever option you choose, you need to consider how prepared the business is to handle the risks and resultant consequences of a cyber-attack, and take the action you deem is the most appropriate.
PIB have produced the attached cyber risk “self-assessment” form which will tell you whether you are a low, medium or high cyber risk which is useful tool to judge what/if additional measures you may need to consider. We also have a number of examples of real life cyber related claims which you may find interesting and we would be happy to share these with you.If you would like to find out more or discuss the right protection for your business, contact us on 0121 647 7401 or email us at email@example.com