“Highly recommend John Phillips. We’ve recently had to claim on our insurance due to the loss of our websites and the whole process has been SO efficient. Every company should have cyber insurance”
As with any contract it is vital you understand the small print of your insurance so you understand the cover you have in place but, as importantly, what does cyber insurance not cover? Cyber insurers will constantly be reviewing these terms to ensure they are in line with best practice but it is helpful to have a general overview of things to look out for.
We will go through these details with you when explaining your individual policy but here is a helpful guide on some of the points which commonly arise when discussing cyber insurance.
The sum insured on your policy can be calculated in two different ways. Some policies are written on an aggregate basis which means the number on your schedule is the total amount which your insurer will pay over the course of the policy period no matter how many claims you make. Some policies are written on an any one claim basis which, as it sounds, means that the number on your schedule is the maximum amount your insurer will pay in relation to any one incident and will pay up to this amount once again should you suffer another incident.
This term may be found in your policy and means that the legal costs incurred may either be included in the total sum insured or may be covered in addition to the sum insured (there may be a further limit for this).
Policies are generally written in two different ways to establish which insurer is liable to deal with the claim. On claims occurring basis the insurer who insured the organisation at the time of the incident will deal with the claim. This is typically how Employers/Public Liability claims are dealt with. For example, if there is slip/trip in your workplace causing a visitor to suffer a back injury in 2018 it will be the insurer who insured you at that time who would deal with the claim even if the claim is brought the following policy year.
On a claims made basis the insurer who is first notified of an incident who will cover the cost of the claim even if the incident itself occurred in a previous policy period. This also means there may be a retroactive date for your policy. Many insurers have taken the approach of applying blanket prior events cover but it is important to check whether this is the case when changing provider. This also means that if you choose to cease holding cover that you wish to pay for some kind of ‘run off’ cover to cover you for any events which are discovered after your policy ceases.
If a policy appears much less expensive than others there is often a reason! This may be because the policy is very basic with a number of extremely important covers coming at an additional cost. Some policies may only cover costs required by law, but may not cover the total incident costs. A very basic cyber insurance policy can exclude crime cover- which means phishing and social engineering cover would be excluded.
In this vain, it is very important to remember that cyber policies are written to cover specified perils. Rather than being a catch all policy for any eventuality the policy will only cover you for what is outlined in the policy wording. Some policies may cover attacks or hacks, but may not cover accidents and errors. They may exclude software or systems in development or beta. They may not cover incidents caused by contractors. There may also be sub limits under different sections of cover which could leave you exposed.
Another way a policy might differ is when it comes to the type and extent of business interruption cover it offers. Depending on your activities this can be one of the most devastating losses and so it is important to pay special attention to this. Firstly, the coverage might be limited to just the time there is network disruption and may not extend to cover the full disruption to the business. It is also important to consider where you are within the supply chain and how an incident at your business could affect any interconnected businesses. It is also very important to check the excess and indemnity period under any business interruption cover. For example if your business is likely to start losing significant revenue immediately an excess period of 24 hours may not be suitable and if you suffer issues of good will with clients it may be more beneficial to have an indemnity period of 3 months rather than 28 days.
They may limit or exclude systems delivered by outsourced service providers If the cloud service provider suffers an attack and goes down, meaning you cannot operate, it is your business that will potentially suffer first party business interruption and the additional costs incurred in attempting to continue trading. It can prove extremely difficult, and potentially impossible, to recoup these losses from your IT provider. Additionally, if a breach of data that you are responsible for occurs at a third party provider, it is still you that is responsible and your reputation that will suffer.
As with any policy it is important to pay attention to the notification requirements. Certain policies may have onerous requirements or they might even refuse to look at a claim if there is an unreasonable delay in reporting an incident. On the flip side some policies can offer incentives for prompt reporting of any issues such as a reduced excess.
Some policies may only cover insurer-appointed advisers and specialists. This is extremely helpful for SMEs who may not have the resources to have a panel at their disposal. However if you do prefer to engage your own choice of firms you may need to pay an additional excess or any additional costs yourself. This can sometimes be negotiated with the insurer but it is better to do this when choosing a policy rather than trying to make a claim.