Technology has also allowed businesses to collect vast amounts of data, assisting in their growth and development. With the benefits also comes risk, including that of breaching laws and regulations designed to protect personal data such as GDPR and from criminal parties looking to exploit businesses’ reliance on technology, for example by way of ransomware attacks and phishing scams. Though technology can remove an element of human involvement, it is still there and with it the risk of human error, where a single seemingly minor mistake can have significant detrimental consequences for a business. In fact, the UK’s Information Commissioners reported 90% of reported cyber data breaches were caused by human error. The efficiencies of technology has also contributed to an expectation of prompt delivery of goods and services. If you can’t do it, someone else will. These are all challenges that many businesses now face, which previously may not have featured so high on their risk register.
Though it is reported by the Department for Digital, Culture, Media & Sport that 78% of UK businesses identify cyber security as a high priority for their senior management and 32% of businesses having identified breaches or attacks in the last 12 months including phishing attacks, others impersonating an organisation in email and ransomware attacks, the Association of British Insurers advised that only 11% of businesses are thought to have specific cyber insurance. With the majority of businesses not incorporating specific cyber cover into their insurance programme, the concern is that there may be a reliance or belief that a business’s traditional commercial insurance programme, which may have changed a little over the years, would adequately cover these emerging and fast-evolving risks. Unfortunately, the majority of those traditional commercial policies are not equipped or intended to provide a broad range of covers needed, for example;
- Property Damage Insurance is intended to cover the cost of replacement or repair of material items damaged or destroyed from a specific peril such as fire, water damage, impact, not as a result of a virus or other malware.
- Business Interruption Insurance covers a business’s loss of revenue arising from damage to material items and other specified events. Again this is from specified perils, not arising from the disablement of IT system due to a cyber attack or due to the consequential reputational damage.
- Public Liability Insurance indemnifies the policyholder where their negligence has resulted in bodily injury to a third party or damage to their property. It isn’t intended to cover a policyholder for claims arising from the loss of third party data or damage to another party’s IT system as a consequence of the transmission of a virus from the business IT system.
There is always going to be an expectation to the rule, but even if the cover is provided it’s unlikely to fully address the risks that a business is exposed to from a cyber incident. With the number of cyber incidences growing in number and evolving, so has the specific cyber insurance product. As well as providing businesses with the financial and legal support needed following an incident, to ensure minimal disruption and loss of profit to the company, many cyber insurers are taking a more holistic approach to their clients’ risks by assisting them in preventing incidents or should an incident occur, minimising their disruptive effects, not only in monetary terms but also and in many cases the harder won reputation.
There is still a lot of variance in the cyber products offered by the market, with different insurers providing varying degrees of cover and risk management services. It’s therefore critical that a business works with a broker who has the expertise to align the risks faced by the business with the most suitable cyber insurance product.
Technology is here to stay and in the future, it is only expected to feature to a greater extent in our business activities, as will the associated risks. Businesses who haven’t already considered these risks and identified how they can be addressed, may with the wrong click of an email be left counting the cost.