Imagine the scene: your organisation has suffered a large-scale data breach. Your network has been infiltrated, and your customers’ IDs and payment details have been stolen. Could the cost of a breach endanger your whole business? And will your insurance company cover the losses?
Data breaches and cyber attacks affect growing numbers of businesses every year. The 2015 Information Security Breaches Survey, conducted by PWC for the UK government, found that 90 per cent of large organisations and 74 per cent of small businesses suffered a data breach in 2014-15.
The cost of dealing with these problems is also rising. The UK broadband provider TalkTalk was one of the most high-profile victims in 2015, when close to 157,000 customers had their data stolen. The company’s subsequent financial results showed the breach led to pre-tax profits falling by half: from £32 million to £14 million in the year to March 2016. The company lost around 101,000 subscribers in the quarter that followed the attack. TalkTalk had to bear several breach-related costs that dented its profits, including enhanced security features, incident response and consultancy spending, not to mention providing free upgrades to customers.
In light of trends like this, many businesses are turning to cyber insurance in increasing numbers to protect against such an eventuality. And more and more insurance providers are responding. According to an estimate from Advisen, the cyber insurance business generated $2.5 billion in premiums during 2015 and many observers believe this market could double within a few years.
In the US, more than 60 companies now offer standalone cyber insurance. That’s obviously good news for the consumer. What’s more, policies aren’t just for technology companies; financial institutions, healthcare providers and manufacturers are all running for coverage. If you have confidential data, you need to consider cyber insurance.
Cyber insurance specialist Daniel Cohen spoke at our Global Advisory Board meeting and he pointed out that buyers must be careful when choosing cyber-specific cover. Commercial general liability policies may leave gaps such as theft of laptops and mobile devices, which is another reason to think about a standalone policy that specifically addresses cyber risk.
In addition to absorbing the cost of a breach, cyber insurance can also help to safeguard the continuity of the operations of the business. There may be companies that can absorb the amounts, but dropping everything that you’re doing to actually work on the breach can be extremely disruptive to the day-to-day running of the business.
Some insurance policies specifically provide resources for handling a breach and its aftermath. These include first-party expenses like IT forensics, to determine the extent of an attack and uncover what data, or personally identifiable information has been accessed. A good policy will also cover notification expenses. Some insurers can give you access to breach professionals or crisis services experts. Other costs you would otherwise have to absorb include regulatory fines or fees, network restoration and business interruption.
As for the future, Daniel Cohen says we can expect trends such as insurers developing specialised programmes for specific industries, closer review of insurance requirements and agreements with vendors or contractors, and a strong push for risk controls and prevention measures such as those outlined above.
In the future, it’s possible that investing in security procedures will reduce the cost of the premium or fast-track the application. For now, this varies by carriers and some currently don’t check for governance, risk and compliance. Right now, there’s so much demand in the market that insurers are providing cover. But it’s worth planning for the day when the volume of claims will start to force insurers to push up their prices.