We’ve been living in a digital age for sometime now and very few businesses operate entirely independent of technology. From the smallest businesses operating with a laptop and phone, right up to big organisations computing in the cloud and virtual spaces, everyone is at risk. As we continue to grow in the digital space, that risk is only going to increase.
With business survival at stake, Cyber Insurance can be a lifeline, yet many businesses remain sceptical about whether it makes sense to purchase such a policy. With guidance from CFC Underwriting, we take a look at 6 of the top cyber insurance myths and debunk them.
Myth 1: “We’ve invested in IT Security, we don’t need Cyber Insurance“
Quite simply, if anyone thinks they are 100% secure, they are wrong. Investing in top level IT security is a great course of action to take, but it is not an excuse to ignore a quality cyber insurance policy. Just take a look at some of the high profile businesses, including universities and government departments, that have been hit recently. They will all have invested in various IT security measures, yet they still got hit. If someone one wants to get in, they probably will!
When people are involved, the risk of an attack is ever present, regardless of your investment in IT security. IBM has released data suggesting that 95% of all successful cyber attacks are the result of human activity, either accidentally or on purpose. Because no one ever leaves their laptop on a train do they! And that disgruntled employee has the best interest of the company at heart don’t they! Human error accounted for almost 75% of claim notifications to CFC this year.
Myth 2: “We outsource IT, we wont be exposed to an attack“
This might give you someone to shout at when you can’t get into your business systems or your client data has gone missing, but ultimately your business is still going to be out of action and more than likely liable for a data breach. You can’t outsource the responsibility as the data controller. Relying on a successful claim for damages caused by a third party is a risky and lengthy business. Have you checked the standard terms of service of your supplier? It’s likely to limit their liability if a breach or system outage results in financial damage to their clients.
Myth 3: “We don’t collect or store any sensitive data so Cyber Insurance isn’t necessary“
One word. Ransomware. The cyber threat to your business extends far beyond privacy risks and data breaches. According to CFC, two of the most common cyber claims are money transfer fraud and business interruption as a result of ransomware. In recent years the WannaCry and NotPetya ransomware attacks got a lot of media interest after bringing a number of logistics and manufacturing organisations to their knees. System business interruption and damage was the core exposure, not theft of data.
Recently, CFC have experienced a surge in claims as the result of a new strain of ransomeware called Sodinokibi. It was noticed that criminals were targeting Managed Service Providers; organisations that provide outsourced IT support and solutions, with Sodinokibi. (See Myth No. 2!) The potential reward of hundreds of new infections make Managed Service Providers more attractive. In January, 2020, the Sodinokibi virus was responsible for taking Travelex, the foreign currency firm, offline; with staff resorting to paper and pen to transact business. A number of third parties who rely on Travelex services were also impacted by the cyber attack, including Tesco Bank, Asda, Barclays and Virgin Money. The costs to the business will be huge.
Fraudsters are becoming more convincing and elaborate by the minute, and are often able to dupe the most senior, well informed, employees. So what if you don’t hold sensitive data, they want your money. If you bank online, you’re at risk. According to CFC the largest source of Cyber claims activity in terms of frequency is in relation to the electronic theft of funds.
Myth 4: “We’re too small to have a Cyber attack“
If your business is vulnerable, it’s valuable. The big attacks make the headlines, but to think that thousands of smaller businesses aren’t being successfully attacked every day would be a mistake. The vast majority of claims originate from businesses with revenues under £100 million. A smaller business is seen as low hanging fruit as funds are not generally invested into IT security and education. Smaller businesses are easier targets or often less able to deal with the effects of an attack.
One of CFC’s largest claims this year was from a 5 person engineering firm making less than £1m in annual revenues. 90% of CFC’s claims come from companies with under £1m turnover.
Myth 5: “We’re already covered“
You may have some partial overlapping cover but if you’re aiming to fully protect your business from cyber threats, there is only one option, and that is to invest in a standalone, dedicated cyber insurance policy. Traditional insurance policies such as Crime Insurance, Property Insurance and Professional Liability lack the depth and breadth of a standalone Cyber Insurance policy. In addition, those traditional covers will not come with experienced cyber claims and incident response capabilities. If your systems are locked down as the result of a ransomware attack, and you have 50 employees unable to work, your Property Insurance claims department isn’t going to offer much salvation. If you think you’re already covered, it would be a good idea to speak with your existing broker to double check. Consider the limits, warranties and response times.
A Cyber event is more likely to happen to a business than a property fire, however only 10% of businesses have a Cyber insurance policy in place.
Myth 6: “A Cyber policy probably won’t pay out“
According to data analysed by CFC, Cyber Insurance now has a lower claims declinature rate than most other lines of insurance. Cyber Insurance is a relatively new product in an emerging market. Historically insurers needed to test the product and protect themselves whilst doing so. During that phase, cyber policies contained various risk management warranties, requiring certain controls for the policy to remain valid. For many, not least smaller businesses, cyber insurance policies were difficult to understand and comply with, hence some reluctance to purchase the protection.
The market has moved on and insurers have developed their products. A good cyber insurance policy will be free from risk management warranties and control based conditions, thus increasing the likelihood of a successful claim should the worst happen.
Cyber Claims Case Study
CFC have put together a great claims based case study documenting how a ransomware attack creates unforeseen complications for a small domestic goods retailer. Take a look at how a potential cyber attack claim could go.