Cyber insurance

Businesses of all sizes can suffer cyber-attacks and data breaches, so it is more important than ever to look at your cyber security and take steps to manage the cyber risks that you and your business face.

Cyber insurance is an important part of the journey when you’re making improvements to your security. Insurers understand cyber risks and support businesses of all sizes.

Cyber insurance helps you to cover the costs of a cyber-attack and improve cybersecurity, by helping to detect issues early, prevent cyber-attacks from happening and respond and recover if the worst happens.

What does cyber insurance cover?

Cyber insurance covers the losses relating to damage to, or loss of information from, IT systems and networks.

It covers a direct (or first party) financial loss to you or your business arising from a cyber event. A cyber event is simply any actual or suspected unauthorised IT system access, electronic attack, or privacy breach. The vast majority of financial losses are first party loss and include theft of funds, theft of data and or damage to digital assets.

Cyber insurance covers the liability actions that might be brought against you, arising out of a cyber event (third party loss), such as investigation and defence costs, civil damages, compensation payments to affected parties.

Cyber insurance also generally includes significant assistance with and management of cyber incidents both before and after an incident has occurred.

To protect you from these losses, cyber insurance policies usually cover the following

Court jurisdiction

It is always worth checking which territories a cyber policy applies to. While policies purchased in the UK normally include territories in the European Union and much of the rest of the world in their cover, North America is often excluded.

Claims brought by related entities

Whilst cyber insurance will protect your business from loss of customer data and any claims which arise as a result of this loss, policies do not normally include liability claims brought by entities related to your business such as your own employees, contractors and partially owned subsidiaries of your business. For example, if employees seek redress for the loss of their personal information following a data breach, this would not be covered.

Bodily injury and property damage

Cyber insurance policies will replace losses in the digital sphere but will not usually cover damage to physical property or bodily injury (death, sickness, disease or physical injury) which results from a cyber incident, as these are often covered by other insurance policies such as property or liability insurance.

Critical national infrastructure

Losses arising from failure of or outage to critical national infrastructure, such as electricity, gas, water, satellite or telecommunications, are excluded. As with war and terrorism, the risk is so large and beyond the capacity of individual insurers.

Cyber warfare

Losses to businesses that result from cyber warfare and cyber-attacks that may be linked to the actions of a particular country or government are common exclusions due to the risks being so large and beyond the capacity of individual insurers.

What does cyber insurance not cover?

Court jurisdiction

It is always worth checking which territories a cyber policy applies to. While policies purchased in the UK normally include territories in the European Union and much of the rest of the world in their cover, North America is often excluded.

Claims brought by related entities

Whilst cyber insurance will protect your business from loss of customer data and any claims which arise as a result of this loss, policies do not normally include liability claims brought by entities related to your business such as your own employees, contractors and partially owned subsidiaries of your business. For example, if employees seek redress for the loss of their personal information following a data breach, this would not be covered.

Bodily injury and property damage

Cyber insurance policies will replace losses in the digital sphere but will not usually cover damage to physical property or bodily injury (death, sickness, disease or physical injury) which results from a cyber incident, as these are often covered by other insurance policies such as property or liability insurance.

Critical national infrastructure

Losses arising from failure of or outage to critical national infrastructure, such as electricity, gas, water, satellite or telecommunications, are excluded. As with war and terrorism, the risk is so large and beyond the capacity of individual insurers.

Cyber warfare

Losses to businesses that result from cyber warfare and cyber-attacks that may be linked to the actions of a particular country or government are common exclusions due to the risks being so large and beyond the capacity of individual insurers.

Exclusions will vary between insurers so it is important to understand terms and conditions. Speak to your broker or insurer directly if you are unsure about any terms.

Help for SMEs

Insurance can only ever be one part of the toolkit of preventative measures, and as cyber threats continue to develop it is crucial that businesses also take steps to put in place strong cyber security.

Developed in collaboration with the National Cyber Security Centre (NCSC), our interactive Cyber Safety tool evaluates your tech setup, working practices and protocols. Uncover potential weaknesses by completing a brief questionnaire and receive personalised recommendations to enhance your cyber security, facilitating easier access to cyber insurance.