Cyber insurance is designed to provide cover in the event of a cyber security incident, such as a data breach or malware attack. There are two key components to any good policy: cyber security insurance and cyber liability insurance. Cyber security insurance ensures your business survives the event and cyber liability insurance provides cover for third parties impacted by the insured event.
Cyber security insurance provides first-party cover if your business falls victim to a cyber attack. It covers the damages done to you and your business in the form of:
Incident management
This will help to cover the initial cost of an incident, and can include:
Direct financial loss
Policies should also help cover the direct financial loss you experience as a result of the cyber incident. This can include:
Cyber liability insurance applies third-party insurance to cover the damages to external individuals and businesses as a result of a cyber security breach. This could be at the time of the incident or years down the track.
Cyber liability policies frequently include:
Good policies generally include both.
Globally, 60 per cent of businesses cease trading within six months of a cyber attack. While most large New Zealand companies have cyber insurance and security measures in place, the majority of our small to medium enterprises (SMEs) don’t.
A recent Spark Lab survey discovered that almost 70 per cent of New Zealand SMEs have no crisis management plan for cyber attack, and 40 per cent have no virus protection installed on their company computers and devices. It might come as no surprise then to learn that almost a quarter of all New Zealand SMEs experience some form of cyber incident in 2017—that’s over 110,000 businesses.
In a nutshell, New Zealand SMEs are at greater risk than most.
Cyber crime does not discriminate. However, damage costs can. In particular, if you operate in the health, finance, professional services, pharmaceutical or technology sectors, the cost of a cyber incident is significantly higher.
That’s not to say large organisations are immune. In 2018 alone, Inland Revenue, Vector and Z Energy all experienced cyber security incidents. There are reports of the Bay of Plenty’s District Health Board fighting off 864,000 potential cyber attacks per day and the New Zealand Ministry of Health up to 1.7 million attacks a week.
Read more: Cautionary tales: the cost of cyber crime in New Zealand
Cyber insurance is not a get out of jail free card that exonerates a business from ensuring and maintaining a high level of overall security. Below we outline three key exclusions to be aware of:
Poor security measures
While cyber insurance may protect a business from the greater cost of a cyber attack, businesses should still take their online security seriously. In fact, an increasing number of insurers are refusing to cover a business if they don’t have solid security measures in place.
Negligence
Many cyber attacks rely on weaknesses in commonly used software and networks to carry out an attack. Therefore, failing to install the necessary system updates could cause a cyber insurance claim to be rejected.
Reputation and brand damage
Cyber insurance can’t protect from reputational damage. It can, however, help cover the public relations costs a company might require. If you really want to protect your reputation, ensure you have appropriate cyber security measures in place first and foremost.
For a more comprehensive list of exclusions, click here.
Read more: What does a good cyber insurance policy look like?
Businesses with a larger digital footprint are certainly more exposed than others. Despite this, every business that has any kind of connected device—from a work phone to a server to an EFTPOS machine—are at risk of being attacked.
Different levels offered in New Zealand
Important! Some industries require companies to meet security compliance measures. For example, any retail store that accepts credit cards must be PCI compliant so that customer credit card details are secure. Failing to meet your compliance measures in your industry could see your claim rejected.
The cost of your cyber insurance cover will vary depending on the amount and level of cover you need.
Regardless of which insurer you choose to use, make sure you aren’t underinsured. When selecting your cover, it is vital to consider the potential damages a cyber incident could cause. How much can you afford to pay in a worst-case scenario? Will the amount you’ve chosen cover the damages—or would you go out of business?
If you work in the health, finance, professional services, pharmaceutical or technology industries, be aware that you may need a higher limit to ensure you’re adequately covered.
Cyber cover is usually excluded from all of the above. Here’s why:
In a nutshell, only cyber insurance covers cyber attacks. General liability, professional indemnity and material damage policies do not.
Should you come under attack, it is imperative that you call your broker immediately. they will notify your insurer directly and aim to get an IT specialist to you ASAP. Don’t pay any ransom, as the criminals have likely already damaged your data and won’t be able to restore your system anyway.
All claim handling will follow a similar structure outlined below.