Skip to the content

Businesses seek additional insurance cover to combat rising threat of cyberattacks

The rising threat of cyberattacks has seen businesses increasingly looking for insurance to provide additional levels of protection.

The UK government's Cyber Security Breaches Survey 2021 found that 77 per cent of boards surveyed viewed cyber security as a high priority.

The UK government's survey also found that four in 10 businesses (39 per cent) reported having cyber security breaches or attacks in the previous 12 months, rising to 65 per cent of medium businesses (50 to 249 employees) and 64 per cent of large businesses (250 employees or more).

Of the 39 per cent of UK businesses, the most common threat was phishing attempts (83 per cent) while around one in five (21 per cent) identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack.

The cyberattacks are from a wide range of threats including criminal groups, activists and nation states seeking to access and control computer networks or systems and the data held on them.

Intellectual property and personal data is targeted by criminals with the aim of carrying out electronic fraud, or extortion by threatening to disrupt systems or compromise confidential data unless a ransom is paid.

Leading companies such as Facebook, LinkedIn and Marriott International have reported cyberattacks with the Colonial Pipeline Company shut down  in May 2021 for several days causing fuel shortages in the USA.

As a consequence the global cyber insurance market is expected to grow from £5.6 billion (US$7 billion) in 2020 in gross written premium  to £16.4 billion (US$20.56 billion) in 2025.

Cyber insurance covers the losses relating to damage to, or loss of information from, IT systems and networks. Cyber cover may be purchased as a stand-alone product or as add-on coverage to traditional lines of business such as commercial property, business interruption or professional indemnity insurance.

The most common types of malicious cyberattacks are:

  • Ransomware.
  • DoS attacks. Denial-of-Service
  • Phishing.
  • MITM attack. In a man-in-the-middle (MITM) attack, or banking details to complete a fraudulent transaction.

Cyber coverage can typically be obtained for:

  • Incident response management costs.
  • Business interruption from network downtime
  • Cyber extortion.
  • Loss of data.
  • Recovering and repairing data.
  • Payment of compensation to customers for their loss of data.
  • Expenses associated with an attack.
  • To the extent insurable at law, losses associated with complying with regulatory investigations and the related defence and enforcement costs.

Cyber insurance policies will generally purport to exclude physical losses and, increasingly, property policies will also seek to exclude cyber-related incidents. However, there are instances where policies will not explicitly include or exclude cyber-related losses - known as 'silent' or 'non-affirmative' cyber cover.

The High Court's recent decision that bitcoin and other cryptocurrencies are 'property' may have consequences for the scope of cover granted  by insurers. The question of whether a non-cyber policy would respond to cyber losses is untested and will centre on the construction of the specific policy wording.

Non-affirmative cyber exposures may give rise to two significant issues for insurers: First, insurers may be required to pay claims for unforeseen cyber losses in certain circumstances when they have not charged a premium for the risk. Second, unexpected cyber exposures could trigger accumulation of losses within other policies.

The UK regulators are aware of issues relating to silent cyber and the Prudential Regulatory Authority has issued regulatory guidance, which sets out how it expects insurers to 'introduce measures that reduce the unintended exposure' to cyber risk from physical and non-physical damage

The importance of precise exclusions can be highlighted by reference to a common 'cyber exclusion' known as the CL380 clause. This clause is designed to exclude losses caused by malicious cyberattacks. However, the onus will be on insurers to prove that the cyber incident was malicious as CL380 does not deal with non-malicious cyber issues.

Cyber insurance helps protect organisations from the fallout from cyber-attacks and hacking threats by potentially covering certain consequential financial costs and minimising business disruption.

W Denis can arrange specialist cyber insurance cover and can offer first class technical advice. Solutions are available for multi-billion turnover businesses, down to small start-ups. To discuss this further with a broker at W Denis, please make arrangements with Daniel Moss at Daniel.moss@wdenis.co.uk or on 0044 (0)113 2439812

Contact Us

Call us today on 0044 (0) 113 243 9812 or arrange a call back to find out how you could benefit from our intelligence-led insurance policies.