Do I really need cyber insurance?
Published: Wednesday, 28 June 2023
It's no longer a case of WHETHER you’ll experience a cyber attack but WHEN.
(Farrer & Co, Lawyers)
Attacks on smaller businesses are so frequent they just aren’t hitting the headlines anymore.
The biggest risk to a businesses is not that an attack happens but how you deal with the fall out.
You'll need a detailed and regularly tested plan along with sufficient funds, time and expertise to implement it.
What should your plan contain?
- Affected Data subjects
- Other UK and global regulators
Under GDPR, data breaches need to be reported to the ICO within 72 hours of becoming aware of the breach (unless it’s unlikely to result in a risk to individual’s rights and freedoms). You need to give the ICO sufficient information but overreporting can lead to more issues.
GDPR requires you to report without ‘undue delay’ to any affected data subjects if there is a high risk to rights and freedoms of individuals involved. Early, transparent reporting of any level of risk may reduce complaints, litigation and reputational damage from those affected.
FCA, professional organisations and other global data privacy regulators may have additional reporting requirements specific to your organisation. Regulators will look at how quickly you mitigate and repair damage caused by a breach in determining and reducing a fine.
Showing that you acted quickly and robustly to any breach can help reduce the likelihood of successful claims by individuals for ‘distress’ caused.
The reputational risk derives from how you respond to the situation. Reporting to affected individuals before you have all the facts can cause distress but ransom attacks can force your hand before you have all the information to hand.
Your preferred panel of experts
Companies who choose not to purchase insurance or can’t find affordable insurance may choose to keep a panel of experts on retainer so that if the worst occurs they can immediately access legal experts, IT support, reputation management and PR specialists for the first few weeks. These experts can create a draft plan with key staff to be enacted in the event of a breach.
You really don’t want to be researching who to use and spending time with them getting to know your systems at the time of a breach. Emergency call out rates for expert help can be multiples of pre-agreed rates.
Crafting your crisis response plan
It can be useful to do a dry run or simulation of a crisis situation so key staff know what their responsibilities are and how to action the plan. You can also spot any gaps in your plan.
- How soon will you notify affected parties e.g. suppliers, clients?
- How open will you be about the problems?
- Do you have all the information to email affected parties (which is cheaper and quicker) or will you have to post letters?
- Are there different groups affected that need to be told different messages – staff, ex-staff, clients, ex-clients, suppliers?
- Can you create template responses now?
- Will you need to set up a call centre to handle enquiries?
- How else will you support affected parties? e.g. free credit checks
Are there benefits from not having insurance?
Insurers may want to handle things differently from you – they often think from a commercial perspective. How would your stakeholders expect you to deal with a breach? The example we were given was a church-based charity whose stakeholders could not morally, or ethically, agree with insurers paying a ransom to criminals, in order to recover and restore their operations.
Proposal forms for cyber cover are lengthy and in depth, you need to be very open and honest about your organisation’s cyber security and IT capabilities. There is often a worry that insurer investigations may discover something you overlooked that may invalidate the cyber cover e.g. implementing MFA or applying the latest patches.
Additional longer-term effects of a breach to consider
Breaches can cause longer term issues that may not be apparent at the time of the initial investigation e.g. third party claims for loss of business, loss of intellectual property and longer term loss of consumer confidence in your organisation.
Some companies will struggle to obtain a quote for affordable cover, or even any cover, after a breach.
In conclusion, if you choose not to buy cyber insurance you must have a detailed and regularly tested plan, along with sufficient funds and access to specialist resources, to deal with the fall out from a cyber breach. You may conclude that it's simpler and more cost effective to buy a cyber policy.
N.B. With professional indemnity policies increasingly excluding all but third party cyber cover from their policies we would advise you to buy a stand alone cyber policy - the business interruption, loss of reputation and client trust are difficult to quantify and can be more swiftly mitigated. Cyber insurers have a ready-made panel of experts with pre-agreed rates, significantly lower than if sourced individually. Incidents have been resolved quicker, with claims being paid promptly and the experience is reported to be smoother.
For more help and advice about your unique circumstances, contact Colin Fox, our Cyber Insurance Consultant