How does cyber insurance work?

Cyber insurance offers vital protection against cyber threats and the financial damage they can cause. Read on to learn more about what it is and why every business needs it.

Cyber Article 15 min Mon, Jan 15, 2024

The role of cyber security

The cost of dealing with cyber incidents grows year on year, driven by a perfect storm that sees businesses increasingly using technology to operate and cybercriminals launching more frequent and sophisticated attacks.

Despite this, a recent study found that 47% of small businesses have no cyber security budget at all, while around 60% of small businesses shut down within six months of suffering a cyber attack. What’s more, every business is at risk. Small businesses can be seen as easy targets, and large businesses represent a bigger prize pot for ambitious cybercriminals. Good cyber security measures are essential in mitigating this cyber risk, with cyber insurance having a key role to play.

What is cyber insurance?

Cyber insurance, cyber liability insurance and cyber security insurance all refer to the same thing: insurance designed to cover the financial loss resulting from cyber threats and exposures. The best policies offer broad coverage, protecting against a variety of cyber incidents including ransomware attacks, data breaches and system interruption.

As businesses increasingly use and rely on technology, the digital assets they hold—essential business data, corporate information, client records and so on—become more valuable and vulnerable. Protecting these business-critical assets should be a top priority. But it’s a tough ask for any business working alone to handle.

That’s where cyber insurance comes in. Investing in a policy that not only covers financial loss but provides and reactive services means businesses have a partner who is expert in preventing cyber incidents from happening and responding effectively when they do occur. 

Why cyber insurance?

Risk mitigation

Cyber insurance isn’t a replacement for cyber security. It works in conjunction with existing security measures to help mitigate cyber risk. More than being there to cover financial loss if the worst happens, good policies will support the business’s internal IT team or external managed service provider with expert incident response and business recovery services—key to stopping cyber incidents from happening, responding effectively when they do and getting the business back up and running. 

We’ve already touched on how cyber incidents can have a devastating financial impact. The truth is that costs can vary considerably, depending on factors such as the type of cyber attack, the size of the business, the length of downtime and so on. Cyber incident costs can include:

  • Cyber incident response support and advice
  • Legal fees
  • Privacy breach notification costs
  • Digital forensic investigation costs
  • Loss of electronic funds
  • Ransom payments
  • System rebuild costs
  • Data recovery and data recreation costs
  • Income loss due to operational disruption
  • Third-party liability actions
  • Regulatory fines and penalties

Financial security

When businesses purchase a cyber insurance policy, they share their cyber risk with the insurer. Though businesses are still expected to have good cyber hygiene, taking out a comprehensive policy will ensure they have cover for financial losses if an incident does occur. Considering downtime after a ransomware attack lasts on average 24 days, knowing you have a partner who specializes in dealing with such events really is invaluable.

Perhaps most importantly, cyber insurance offers peace of mind. Businesses can manage the risk of operating online, free to reap the benefits of the digital world while being safe in the knowledge they have cover in place.

Types of cyber insurance

Cover under a cyber insurance policy can fall into two broad categories: first-party cover and third-party cover.

First-party cyber cover
This covers the financial losses that the insured incurs themselves as a result of a cyber event, often one that impacts their own network.

Typical first-party cyber losses include:

  • Incident response: real-time support and advice in relation to the cyber event, legal advice in relation to any legal obligations the business may have, the cost of carrying out forensic investigations to remove malware and determine the root cause of the incident and what has been accessed, the cost of notifying affected individuals that their data has been breached, and so on.
  • System damage and business interruption: restoring the business’s computer systems and data to the position they were in prior to the cyber event, plus any income loss as a result of system downtime.
  • Cybercrime: loss of electronic funds, either through the hacker stealing directly from the business’s online bank account or through employees being tricked into sending funds to fraudulent accounts by social engineering scams, as well as the cost of reimbursing ransom payments in response to a cyber extortion event.

Any business that relies on their computer systems to carry out business operations, store business critical or sensitive data or transfers money by electronic means is likely to have a first-party cyber exposure.

Third-party cyber cover
This covers a business for liability actions brought against them due to a network security or privacy event, such as the failure to prevent the theft of personal data. Typical third-party cyber insurance covers:

  • Damages: damages that the insured business is legally obliged to pay to third parties.
  • Costs and expenses: legal fees incurred to defend the insured business against the liability action (often extending to claimants' costs and expenses if the insured is obliged to pay them).
  • Regulatory fines and penalties: fines and penalties levied by regulators and other bodies.

Any business that works with sensitive client data or is responsible for protecting a client’s systems would benefit from this type of cover, including technology companies, financial institutions, healthcare providers and retailers.

How it works

Now we’ve seen the different types and use cases, how does cyber insurance actually work?

Our application process

CFC has built a streamlined underwriting process, so that businesses can swiftly get the cover they need. Through advanced proprietary technology and proactive threat hunting, we can calculate a business’s cyber risk profile in seconds.

Coverage details

CFC provides comprehensive cybercrime cover for a wide range of cyber risks, including incidents that result from human error (cyber events caused be an employee error) and insider attacks (cyber events carried out by rogue employees).

But most policies won’t cover:

  • Pre-existing incidents: cyber events that occurred before the policy was purchased.
  • System improvements: any costs related to improving a business’s technology systems.
  • Known vulnerabilities: if a cyber event is caused by failing to address a known error or vulnerability.

Our claims process
Whatever the cyber event, CFC has built a simple claims process that’s scalable and designed to work in tandem with existing cyber security partners.

  1. Notify
    Available 24/7, the fastest way to notify CFC of a cyber incident is through our mobile app, Response. Customers can also notify via email, phone or the website.
  2. Triage
    A technical expert will get in contact within 15 minutes, to triage the incident and work with the internal security team. They’ll provide initial advice to help contain and remediate the incident.
  3. Coordinate, kick-off and engage
    A dedicated cyber claims adjuster will be assigned to work with the chief information security officer and guide the business through the claims process, helping to engage with any external partners if required. 
  4. Reporting 
    Throughout the claims process, all stakeholders will be regularly updated on how incident remediation and the claim is progressing. At the end of the process, a findings call will bring the claim to a close.

Costs and premiums

The cost of cyber insurance varies depending on several factors. But what all policies have in common is that premiums are far cheaper than the cost of cyber claims, and so are more than worth the money. 
The cost of cyber insurance is influenced by:

  • Business size and industry
  • Annual revenue
  • Volume of sensitive data
  • Cyber security posture
  • The proactive prevention services on offer

Case studies: Cyber insurance in action

Vulnerable VPN

A bank catering to private and commercial customers with revenues of around £100 million fell victim to a ransomware attack, after the cybercriminal exploited an unpatched vulnerability in the bank’s virtual private network (VPN). The cybercriminal launched encryption software to make all data and systems inaccessible, and demanded a substantial ransom to be paid for a decryption key, before claiming they had also stolen sensitive data.

As the bank was a policyholder with CFC, it notified our team as soon as it’d discovered the breach. Our expert team responded at once, identifying offline backups that enabled the bank to quickly resume business as usual. We then investigated the root cause of the attack, and determined that no data was stolen. Since the bank had recovered it systems, the decision was made not to pay the ransom. 
Despite avoiding paying the ransom demand, the cost of the attack was still significant. The forensic investigation alone came to £113,897. This came on top of £22,000 in legal fees and £5,000 to engage a crisis communications consultancy that helped deal with media relations following the attack, bringing the total cost to £140,897—all covered by the bank’s policy with CFC.

Recruitment ruse

An employee working in accounts at this recruitment firm fell for a credential phishing email claiming that their outbound emails had been blocked by a spam filter. To ensure that emailed invoices had reached external clients, the employee clicked a malicious link, unwittingly handing their credentials to a cybercriminal, who re-directed a significant payment to a different account. The funds were deemed unrecoverable with the actual bill still to be paid.

As a CFC policyholder, the recruitment firm recouped the lost funds under the cybercrime section of its policy, which covers social engineering-style losses.

Getting started with cyber insurance

Cyber security is often cited as the number one business risk, but far too many businesses don’t understand the need for cyber insurance. It’s time to remove complexity and present how comprehensive cyber insurance is an invaluable tool for mitigating cyber risk—not only in covering financial loss but in preventing and minimizing the impact of cyber attacks in the first place.

Since it can be difficult to predict how cyber risk will evolve, it’s often best to go with an insurance provider that offers comprehensive coverage. In this sense, when a business suffers a cyber incident, it can focus on getting back on its feet rather than worrying about whether it has the right cover. 

In today’s market, a good cyber policy will offer proactive protection from the moment a business buys a policy. Choosing a policy that offers these services helps to bolster existing cyber security measures and helps keep the business safe no matter what’s round the corner.

Learn all about comprehensive cyber cover in our cyber insurance guide, created in collaboration with BIBA. Reach out to our expert team with any questions at cyber@cfc.com.