Cyber insurance: what SME businesses need to know
Most business owners who own assets such as buildings, office equipment, machinery and stock would not think twice about buying traditional theft insurance as part of their various insurance coverage for the varying risks they face. Yet most businesses nowadays are far more likely to suffer a cyber-attack than experience a break-in theft.
Does my business need to have cyber insurance?
If you use e-mail, hold client data electronically, trade online, take online payments or have a website then you are vulnerable to a cyber-attack. Just by being on the internet, your money, your data and your customer data are all now potentially accessible to a cybercriminal who has increasingly sophisticated methods to access the information.
Cyber insurance was the new kid on the block a few years back. The need for it has rapidly escalated since then, due mainly to the surge in various forms of cyber-attack during the pandemic and this is expected to increase. Cybercriminals see increased IT system vulnerability, due to increased digitisation of businesses and a change to hybrid working with people connecting to remote networks.
Examples of common cyber threats to an SME business
It may help to understand the sort of threats that may affect your business:
Phishing - Social engineering is the most common cyber threat where people in businesses are tricked into revealing information or doing something they did not realise was harmful. The most well-known and common of the social engineering threats is phishing. This is when an e-mail is received from what is perceived to be a trusted source to get an individual to either release sensitive information or click on a link which is malicious.
Phishing has further developed where an e-mail can look to appear from a known supplier or service provider of the business asking for an invoice to be paid but to a new bank account.
Ransomware – One of the most well-known malware threats where cybercriminals infect a company network with infectious software and then the software encrypts data to lock it down. A message will then be received which requires a ransom, often payable in cryptocurrency, if the individual wants to regain access to the data and/or the whole system.
Whilst the above refers to innocently clicking on a link, in some cases even a business employee visiting certain websites can result in lock down of data and systems.
Man in the middle (MITM) attack – The cybercriminal can eavesdrop on data sent between two people, networks, or computers. The cybercriminal then intercepts and modifies messages which the receiver thinks is normal communication with the other person. The purpose is usually to try and gain sensitive information to be used against the business.
Denial of Service (DoS) – This attack is meant to shut down a machine or network, making it inaccessible to its intended users. These are often set up by groups of hackers targeting a system to overload it and make it fail.
The Government say one in four businesses (39%) reported breaches or cyber-attacks in 2020. Most of these were against SMEs - https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022
What does a cyber insurance policy cover?
One of the main things to consider is what would you do in the event of a cyber-attack?
Whilst insurers are there to pay claims, they are also there to engage the right specialist people to handle this situation on your behalf.
The two main headings of a cyber insurance policy are first-party (own losses) and third-party (your clients and suppliers’ losses).
Typical first-party coverage
- An initial response by the insurer’s cyber team to investigate, look to recover data and restore systems
- Cyber expenses for data breaches such as legal notification costs
- Cyber extortion demand costs (where necessary to pay)
- Business interruption due to lack of ability to trade
- Cybercrime (usually optionally but recommended at least £100,000)
- Public relations to protect the business.
Typical third-party coverage
- Cyber liability (held liable for third-party losses due to a cyber breach to your network)
- Network security liability
- Media liability
- Payment card industry liability is optional (where you are required to comply with PCI-DSS).
What does cyber insurance cost?
We recommend a minimum of £100,000 cover level to include £100,000 cybercrime insurance which is usually an optional extra. The annual cost based on £100,000 will range from £300 to £1,000 per annum for most SMEs. Please note the annual cost is usually dependent on your activities, your turnover and your cyber security.
Higher cover levels are available to suit your needs. We can also look at the different policy excess levels available to make this more affordable.
How Mitchell Charlesworth Insurance Solutions can help
We are working with a number of reputable UK-based cyber insurers to offer cyber insurance cost indication and provide a summary of cover. We are sending these out automatically when our existing insurance clients have other insurances due for renewal. However, you can request a cyber insurance quotation before then as required and we would actively encourage you do this.
Cyber insurance is also available to any business not currently arranging their insurance with us.
For more information, please contact Richard Gorst to the right of this page.
Written June 2022.