Data breaches – Is cybersecurity insurance worth the investment?

What is a cyberattack?

Many cyberattacks occur because of ‘phishing’ emails, which are a scam designed to extract sensitive information from recipients. A phishing email will often ask you to fill in your details to, for example, prevent spurious transactions and claim tax rebates, or send money to a bank account where the email seems to come from someone you know and where the bank account details have changed. According to a recent study, 69% of participating respondents said they’d received phishing emails within the last year.

Why should businesses be concerned?

Cyber risks are increasing at a rapid rate, due to our growing dependence on data and digital automation. The headlines over the past year have amassed a significant amount of attention towards these problems. This is hardly surprising, considering the recent Mactavish report highlighting that 43% of respondents had suffered from a cyberattack in the two years prior to the report.

One of our most recent cases involved an individual customer of our client getting duped by a phishing email that looked like it had been sent from the client. This resulted in the customer sending hundreds of thousands of pounds to a fraudster’s bank account. The individual customer then claimed for the money he had lost against our client, but our client was completely unaware that this transaction had occurred and that their customer had been duped by the fraudster’s phishing email. As our client had not received any money from the individual customer, we managed to resolve the case successfully.

Many companies don’t purchase cybersecurity insurance due to reasons such as uncertainty over the cover and mistrust in the potential pay-out. Nevertheless, businesses should consider cyber insurance, but should be aware of the caveats and exclusions that may apply.

Does cybersecurity insurance protect against all cyber risks?

Cybersecurity insurance does provide some comfort but does not provide the silver-bullet answer to all cyber issues that businesses might be hoping for. The Mactavish Cyber Risk and Insurance Report tells us why this is the case, pointing to 8 common flaws in some cyber insurance policies, which are, in summary:

1. Cover for issues caused by accidental errors or omissions may be excluded.
2. Data breach costs may be limited to, for example, only costs that the business is strictly legally required to incur (as opposed to much greater costs which would be incurred in practice).
3. Systems interruption cover may be limited to only the brief period of actual network interruption, and not for the period after IT systems are restored but the business is still disrupted.
4. Cover for systems delivered by outsourced service providers is often limited or excluded.
5. There may be exclusions for software in development or systems being rolled out.
6. There may be exclusions where contractors cause issues (e.g. a data breach) but the business is legally responsible.
7. There may be complex and onerous notification requirements.
8. There may be no freedom for a business to choose its IT, PR or legal specialists as the policy only covers insurer-appointed advisors.

How to mitigate against cyber risks

Despite some of the limitations to cybersecurity insurance, there are a number of courses of action your business can take to help prepare for a security breach:

• Think about a bespoke insurance policy: when seeking cybersecurity insurance, firstly understand exactly the risks that could be facing your organisation. This will help you secure a more tailored, bespoke policy that will meet your specific requirements.
• Make a data breach plan: in essence, a data breach plan will contain information on who to contact, what to do and what should happen next (i.e. in terms of business operations and how to communicate the incident to the public, regulators, solicitors, etc).
• Communication: if you already have a data breach plan, then communicate it to your employees. A large portion of employees won’t even know a plan even exists, which will seriously undermine efforts to recover effectively.
• Training: given that 70% of data breaches occur because of human error, hold cybersecurity training for your employees. This could be a highly effective preventative measure.

Conclusion

Cyber risks are something that large businesses as well as SMEs should be taking seriously now. For more information about training, then please contact Jimmy Desai, Emmanuel Vranakis or Sara Hyder using the contact details below.