Five things your cyber insurance may not cover
Like most policies, cyber insurance is an absolute essential for IT security professionals to consider.
Cyber insurance is a much-needed additional level of protection to complement your existing security practices. It is a relatively new concept, with people sitting up and paying attention to it for nearly a decade. However, it is not yet uniform – a study found that only about one third of US companies currently have cyber insurance.
But, with nearly 19,000 records being lost or stolen every five minutes and numbers just increasing, any technology-reliant company needs to invest in cyber insurance. A cyber insurance policy transfers the risk should you be the victim of an attack. It covers the costs of recovery and crisis management. This could include investigations, legal costs and fines, data recovery and repairing any damaged kit. In addition, with GDPR coming into force next month, it will become mandatory to notify the ICO and data subjects of any breach. This can be incredibly costly but a robust cyber insurance policy should cover this.
However, a cyber insurance policy may not cover all eventualities. There are some loopholes you will need to consider before signing up for a particular policy. It may be that your company does not require some potential added extras. Or, something which could easily overlooked could be an essential requirement for your individual business practices. Here’s our guide to what to think about when taking our cyber insurance.
A policy may not cover third-party service providers
Most companies will use third-parties to look after aspects of their business practice, particularly when it comes to technology, hardware and cybersecurity. It is important to ensure that you are covered when it comes to how third parties use, access and manage your data. Even if a data breach is the result of a contractor, you could still be liable. This is particularly the case under GDPR.
A policy may rely on existing cyber security measures
When taking out a cyber insurance policy, it’s standard procedure to be asked a number of questions about your existing online security safeguards and activities. If you say you do regular data audits and train staff on latest security developments, then make sure you do actually carry this out. Failing to do so could leave your cyber insurance invalid in the event of an attack.
A policy may not cover all types of cyber attack
Just like travel insurance may not cover you in the event of a natural disaster, cyber insurance may also have certain exclusions such as war, invasion or terrorism. If you think this is something your company may be vulnerable to, consider how to bring in protection to cover you for these areas, which could mean an increasingly specialist policy or paying a higher premium.
Policies for patent, software and copyright infringement
You may find that some exclusions in your cyber insurance policy are actually covered in other types of business insurance. A loss, violation or abuse of copyright should be covered by intellectual property insurance. However, data attacks are not commonly covered by general liability insurance so a specialist policy may well be required too. Some cyber insurance policies will include an additional clause about this, so check the small print to see if they offer support for such issues.
A policy may not cover accidental data breaches
Lots of home content insurance policies are invalid if a burglar gains entry through an open window. If someone within your company falls foul to phishing or does not consider online security, then your cyber insurance policy may suffer a similar fate. Some accidental attacks can also go unnoticed for a long period of time and some policies may only cover attacks when reported within a certain time frame. Keep on top of regular cyber security basics to avoid an attack slipping under your radar.
The best way to ensure that your cyber insurance policy covers all that you need it to is to determine what costs you need covered and for what type of incidents. Circulate this list amongst your teams, suppliers and partners and then contact a specialist broker to see what options are available for you.