Business interruption and rising penalties – why cyber insurance coverage is needed

Cyber-attacks are becoming increasingly expensive, causing more disruption by interrupting business operations and resulting in penalties for the business concerned for breaching data protection regulation if the proper protective measures were not in place. Barely a week goes by without another cyber-attack, with experts considering them one of the most serious risks of the decade. Such attacks can cause embarrassment and uncertainty, but it is the financial costs that have the biggest impact.

The cyber extortion of the San Francisco Municipal Railroad (Muni) is a clear example of how a cyber-attack can have practical implications for business operations. One can only imagine the financial impact the Muni Subway will face after approximately 600,000 people rode for several days for free. Businesses now rely on technology to such an extent that these kind of cyber-attacks can have the same impact on a business as a large scale data breach.

The uptake of Cyber Insurance coverage outside of the United States has historically been low. In the US the major costs of a data breach have been in notifying customers that their data may have been lost as required by law, while costs for investigations and remediation have been much lower. Globally, there is an increasing trend towards regulation, related to data, privacy and security issues.  These new regulation orders bring an increase in the costs of compliance as well as increased fines and penalties when companies fail to comply.

The EU General Data Protection Regulation (GDPR) increased the level of data protection and security controls required by organisations that do business with EU citizens. This is likely to see the cost of data breaches more closely aligned with those in the US – with fines of up to four percent of global turnover for egregious non-compliance.

Cyber insurance can provide recompense for these incidents, as well as financing the crisis management services needed to minimise damage. Whilst premiums are low due to the soft insurance marker, coverage can be difficult to define. Current policies tend to be inconsistent, providing generously for data and privacy issues in the US, but less so for business interruption and regulatory fines in the EU.

Insurers and prospective policyholders would be wise to be prepared for a market with differing coverage requirements than those that are set today. Before the provision or purchase of any cyber insurance policy, we recommend that three key points are considered:

  1. Cyber Exposure: The level of exposure an organisation faces from cyber-attacks, and how this will impact the business. This will include identifying plausible losses assessing how likely an attack will be based on how mature the organisation’s cyber security capability is.
  2. Cyber Coverage: The coverage provided by the potential policy and its associated premium, and a review of any other cyber coverage in other policies such as Property and Directors and Officers (D&O) liability. This allows the coverage to be compared to loss exposure in order to identify potential uninsured risks.
  3. Crisis Management: The ability to respond quickly and effectively to a crisis reduces losses for the insured and insurer. The ability to manage reputation fallout, remediate a breach and to recover money from fraud is a better indicator of the likelihood of loss than historical loss data.

Working with brokers, the insured and insurers – alongside independent experts – to identify these elements ensures that coverage and exposure are matched, and that losses are managed appropriately. On the horizon are real-world outcomes, including property damage and bodily injury, which will have real life impacts for people across the globe. Ultimately, coverage should provide peace of mind for all involved.