As we become more digitised and reliant on technology and AI, the cyber threat increases, and the insurance space is also evolving in response. There has been a significant shift from reactive to proactive policies, with insurers providing continuous risk assessment and risk management services throughout the policy's duration, rather than a one-time assessment at the beginning.

Cyber insurance, which protects businesses from the financial fallout from cyber attacks and data breaches, should be a serious consideration for businesses of all sizes.

Do I need cyber insurance?

It is recommended that most, if not all, businesses should have cyber insurance. This is becoming particularly important as the threat level for all organisations has increased as AI has become more prevalent. Senior government ministers have warned that the growth of AI will lead to an increase in cyberattacks. Research by cyber security firm NordVPN reveals that the UK is the third ‘most targeted’ country, and businesses need to ensure they have the right insurance in place.

“Any business that has employees, customers, transfers money, or holds data has a cyber risk,” says Claud Bilbao, RVP, Underwriting & Distribution UK, Cowbell UK. “Every business has a cyber exposure.”

What does cyber insurance cover?

Cyber insurance covers incidents such as data breaches, phishing attacks, and ransomware, where systems are locked down until money is paid to the perpetrators.

Policies can cover costs associated with every aspect of a cyber attack, such as accessing specialist teams to investigate the source and/or entry points of the attack; repairing and restoring networks; and legal costs. It can also cover business disruption costs and customer lawsuits due to data breaches.

“There is a whole suite of services and support, including a bespoke cyber policy which is available at the time of the claim,” says Bilbao. “It might be the cost of investigating a potential data breach, for example, or the cost of technical forensic teams who assess and understand what’s happened and then restore the network. In the event of ransom and extortion events, the policy may cover the ransom amount depending on the jurisdiction.”

Are there different kinds of coverage?

Cyber insurance policies generally offer first-party cover (losses and/or damages impacting the business directly) or third-party cover (losses and/or damages affecting third-party entities such as suppliers or clients). Market-leading cyber insurers will offer elements of both.

According to Bilbao, some cyber insurers are more proactive than others in how they approach cyber risk, offering ongoing risk assessments and support. “This involves sharing insights and information about the policyholder, with the policyholder, to ‘empower’ them to act on information held about them. It also includes cyber security awareness training for all employees for the first year of the policy and the free penetration testing, as well as access to risk engineers and cyber security experts.”

Doesn’t my general business insurance cover this?

No. General liability insurance does not offer the same level of protection against cyber attacks as a cyber insurance policy. There are usually cyber exclusions on general liability policies.

“You’re not going to have access to the ecosystem that has been built around cyber insurance,” says Bilbao. “Forensic teams, legal teams, the 24/7 claims service, and cyber risk management resources, like comprehensive cyber risk assessment, cybersecurity awareness training, micro penetration testing, for example. The cyber landscape requires specialist policies.”

What can I expect to pay for cyber insurance?

According to insurance broker Get Indemnity, cyber insurance usually costs between £350 and £5,000 a year for SMEs. A low-risk microbusiness may pay as little as £175 per year, while a corporate in a high-risk industry may pay up to £10,000 per year.

UK-based SMEs that achieve the Cyber Essentials accreditation can access a free cyber liability insurance policy, which includes a £25,000 indemnity limit. The level of cover should be reviewed and may need to be supplemented with an additional policy, or by extending the policy provided through Cyber Essentials.

Do certain business sectors need better coverage than others?

While all businesses are exposed to cyber threats, different sectors have unique considerations and priorities.

As Bilbao explains, the construction industry may need coverage for missed bids if a cyber incident prevents a business from submitting a winning bid. Healthcare organisations need to restore systems and infrastructure quickly, so first-party coverage is crucial. If patient data is stolen, robust policies are needed to cover potential liability from data exfiltration.

Organisations operating in sectors with additional regulatory requirements, such as accountancy, financial services and healthcare, may also need to check if coverage includes any regulatory consequences of a cyber incident.

Manufacturing may not hold as much data as healthcare, but if their operational technology becomes unavailable due to a cyber incident, they would need to claim for business interruption loss.

“Finally, professional services such as accountancy and legal services hold sensitive customer and business data. In the event of a cyber incident, the privacy risk would be huge,” says Bilbao.