There is still a lack of awareness of cyber insurance in relation to cyber security, explains Edward Partridge of Marsh Commercial. While cyber attacks are not an emerging risk, from an insurance point of view, it is coming to increasing prominence. 

The insurance industry has collectively worked to clarify cyber insurance policy wordings to make sure that organisations understand what is and isn’t covered from a cyber security perspective in other covers, such as PII. In response, ICAEW has reworked its minimum insurance requirements which helps to give even further clarity. 

“Fortunately, it's now becoming more prevalent in terms of clients' understanding of the existence of cyber cover, and critically, the fact that it needs to be purchased in isolation to cover clients’ exposure,” Partridge tells ICAEW Insights.

What does cyber insurance cover?

Cyber insurance covers a number of impacts. Firstly, it typically covers the loss of income as a result of network interruption and any direct impacts on the business the attack has. A policy can cover the cost of responding to a cyber extortion event and restoring your data after it has been held to ransom. 

It covers loss of money arising from phishing attacks, costs related to breach responses and also investigation costs and assistance to trace and fix any intrusions. 

“Once an event has actually happened, it provides cover in order to make sure that doesn't happen again and some wordings will also help with any fines or expenses from certain regulatory bodies,” says Partridge. 

One of the most important and often overlooked elements, Partridge explains, is public relations (PR) cover. Many businesses don't necessarily consider the impact on their reputation as a result of an attack. “For example, if a business lost a sizable chunk of personal data, that business could experience a lack of trust by their clients and prospects going forward. So managing that PR exposure the business faces after that event is as critical as managing the initial event.”

Policy expectations

Any conditions or expectations attached to a policy will be specific to the individual circumstances of the organisation and what is covered as part of the policy. Some providers provide access to cyber audits for clients to review a business’s approach to cyber security and where they are potentially exposed to cyber attacks. 

“It basically helps them mitigate that exposure and do something about it before an event happens,” says Partridge. 

This audit helps policyholders stay informed about how to protect their business and reduce the risk of a cyber event occurring. But detecting potential exposures doesn’t necessarily mean that certain incidents won’t be covered, Partridge explains. 

“The key point with any insurance is to be absolutely clear on what's expected of you and the policy, and the subjectivities that are put down by the underwriter. Make sure you work with your broker to make sure that you are doing what's right to ensure that if an event does happen, you're protected.”

Choosing a policy

Don’t assume that cyber attacks are covered in your existing policies, such as PII, says Partridge; you probably won’t have the coverage that you need. So first and foremost, you need to think about taking out a separate policy. 

“Talk to your existing broker or existing provider about what cyber cover may be available. It's quite valuable to have your professional indemnity insurance and cyber insurance covered in the same market. That can help to overcome any grey areas where the two policies may overlap.” 

It's also important to work with a broker that understands the sector that you operate in, says Partridge. That will provide a deeper level of understanding of the specific exposures that your sector faces. Working with a generalist could mean the advice or products aren't as tailored towards your business as others, which may result in you not getting the coverage that you need.

It’s important to start the process early, says Partridge. In the current market, insurers are looking for a lot more information from clients than they were previously, which means that the entire process can take a lot longer and potentially drive costs up. “Starting the process early on means it's going to be more manageable. 

Finally, Partridge recommends partnering with a broker instead of going direct, to make sure you get the best possible policy for your business. “The broker will do the legwork for you and ensure that your information is being presented to the correct markets, as opposed to a blanket approach, which can actually damage the policyholder’s buying power. 

“Don't always assume that everything is picked up on the one policy. There are individual policies available for a reason. Partnering with somebody in a specific sector is going to help you to navigate that landscape a lot more efficiently than you would perhaps going alone.”