Cyberattacks can be costly, so having enough cover is critical. According to the UK government’s Cyber Security Breaches Survey 2020, released by the Department for Digital, Culture, Media and Sport, businesses that faced breaches with material outcomes suffered an average cost of £3,230 in the past 12 months. For medium and large firms, this average cost is £5,220. And breaches are common, with 46% of businesses and 26% of charities reporting at least one cybersecurity breach or attack in the last 12 months.
According to NimbleFins, the amount of cyber insurance a business needs depends on factors like the organisation’s size, the nature of your work and your annual turnover. Risks such as the type of data you hold and whether you have a private networked IT system (and the size of that network) also play a part in how much cyber coverage you’ll need.
One way to help decide how much cyber insurance you need is to think about the potential claims you could make. How would a cyberattack impact your business, and how much would it cost to remedy the situation?
First, take stock of the value of your hardware and software and how much they would cost to replace if they’re damaged or compromised in a cyberattack. Consider what systems and tools are critical to your daily operations.
In addition to considering the costs of replacing software and hardware, including hiring the experts needed to do so, you’ll need to consider legal costs. In fact, most cyber insurance claims include legal support in three-fifths of claims in 2020, the policy covered at least one incident response, reputation management or forensic analysis.
Solicitors can charge a significant amount to inform regulators and your customers if you’ve been hacked. And if a cyberattack harms a business’s reputation, a policy should be sufficient to cover work by professionals to help with reputation management.
Solicitors aren’t the only experts you might need to hire in case of a cyberattack. You may also need IT experts to investigate the attack and help restore your systems. Like solicitors, IT experts are not cheap.
And then there’s business interruption cover, which is always good to include in your policy. This is particularly critical if you rely on systems or a website to trade. Consider the amount of turnover that could be lost if you’re the victim of a cyberattack and are prevented from trading until you can restore your systems.
In the case of businesses handling personal information, ‘privacy liability’ must be considered. It covers against infringement of privacy and provides legal costs and payments to claimants after a privacy breach.
And in some cases, the limit of insurance would also need to cover cyber extortion if you’re held to ransom. But not all policies cover this.
You’ll also need to consider the impact on third parties like your clients, for instance, if a business loses client data or intellectual property.
How to tell if your business needs cyber insurance
Industries regularly targeted by cybercriminals are those which operate in healthcare, education, retail, education, transport, financial services, construction, and public services. So if you operate in these key industries, you should especially consider buying a cyber policy for protection.
Businesses that rely on IT systems or websites to carry out their trade will also want to look at cyber insurance, regardless of their industry. And if a business stores or uses a lot of personal and private data, it is worth considering cyber insurance.
Cyber insurance is particularly important if a business deals with payment information as cybercriminals are particularly tempted to exploit this vulnerability. A business faces paying out potentially expensive damages to affected customers or demands for a ransom of thousands of pounds.
Organisations that feel they would benefit from access to legal advice and work, IT expertise, plus peace of mind that financial assistance will be provided if their trade was interrupted, will benefit from cyber insurance.
Which businesses don’t need cyber insurance?
Some businesses feel they don’t need cyber insurance if they have sufficient coverage with other policies such as contents insurance, business interruption insurance or professional indemnity insurance.
While business interruption is a key clause in cyber insurance, standalone business interruption insurance may provide enough protection from loss of income or increased costs due to a cybercrime or IT system failure. It depends on what is covered by the policy.
Comprehensive contents insurance may cover digital asset replacement if a hack corrupts devices or makes them inoperable.
Professional indemnity insurance could cover compensation and legal fees related to losing data or negligence claims.
It is personal preference as to whether a business feels it is worth taking the risk of not having cyber insurance. Businesses should consider the risk of data being stolen or corrupted and the extent of trade being interrupted if a computer system breaks.
Considering the relatively low cost of cyber insurance (policies start from around £132 a year), any business with potential risk should seriously consider buying a policy.