Cyber cover: do you need a separate cyber policy?

Insurance should be your last line of defence when it comes to preparing for a cyber attack. In fact, insurers expect businesses to have a number of risk mitigation strategies in place. These strategies can reduce your premium on a cyber policy.

These include up-to-date anti-virus and anti-spam tools and system backups that are regularly tested. Rigid protocols around passwords are also essential. Staff training to ensure employees understand what a cyber attack or threat is and how to prevent one is also essential.

In a recent portfolio analysis conducted by cyber insurance specialist underwriting agency Emergence Insurance, showed FY19 cyber claims frequency was up 29 percent compared with FY18.

Professional, scientific or technical service industries accounted for 20 percent of claims; healthcare and social assistance 14 percent; and financial and insurance services 12 percent.

Insurance, can, however, play a role. “I liken it to the mythical beast from Greek legend called Hydra, a serpent with many heads. That’s what cyber protection is like, because it can come up in lots of different policies,” says Michael White, Steadfast’s broker technical manager. “It is obviously covered in cyber policies, but it can also be covered under business interruption insurance,” he adds.

“Staff training to ensure employees understand what a cyber attack or threat is and how to prevent one is also essential”

Cyber policies can provide cover in the event of a financial loss as a result of a cyber attack, which are common. Attacks of this nature include ransomware attacks, in which a criminal locks a business out of its IT system in exchange for a ransom. Other cyber threats include malware attacks.

This is when a criminal goes into a business’ IT system to store malicious software, for instance a tool to steal customer data or infect the business with a virus. Some sources suggest there are more than 350,000 malware attacks a day.

Cyber policies cover businesses for the cost of responding to a cyber event such as a denial of service attack that results in a firm, or its staff and clients, not being able to access its IT systems.

Cover pays for a technician to resolve the issue, as well as any economic loss the business suffers as a result of the attack, for instance lost sales. It’s also important to understand the elements of an attack for which cyber policies do not provide cover.

Cyber policies can provide protection for a financial loss, but they don’t usually provide cover for a physical loss, White explains. “If someone hacks into a car’s system and causes it to crash, the event would normally be covered under traditional vehicle insurance, rather than by a cyber policy.”

Similarly, if an attack causes the business’s servers to fail, this should be construed as property damage and could be covered under a separate policy to the cyber policy.

As this shows, businesses require a range of different insurances to help ensure they are properly protected in the event they suffer a cyber incident. As such, they are advised to work with an insurance broker so they have the right protections in place should they, like so many other businesses, find themselves under a cyber attack.


Important note – the information provided here is general advice only and has been prepared without taking in account your objectives, financial situation or needs.