Business Case Studies

How to calculate your cyber insurance coverage

With cyber security breaches increasingly on the rise, and new European data protection rules (GDPR) now in effect, cyber insurance is something that no organisation handling consumer data can afford to ignore.

In fact regulatory penalties for a system data breach in 2018 are now so severe they can cripple a company that doesn’t have adequate cyber insurance protection in place.

What is GDPR?

GDPR is the common abbreviation for General Data Protection Regulation, a law that came into effect in Europe as of May 2018. For businesses operating within the EU this new legislation presents a real ‘game-changer’. Not only are the rules legally binding but failure to adhere can result in huge fines from enforcement regulators. Not to mention separate legal action from consumers whose personal data is compromised as a result of a cyber data breach.

GDPR is, in effect, an update of the 1995 Data Protection Directive, the previous rules governing data handling in European Union countries. Every company that holds European consumer data on record is affected by the new rules, including those headquartered outside of the EU.

What’s more GDPR gives consumers increased rights over the collection and use of their personal information. This change in legislation is just one of the many reasons cyber insurance uptake has increased from 19% to 31% in the U.S.While UK businesses are now investing over £1.9bn in cyber security measures in line with the Government’s long-term cyber security strategy.

How can cyber insurance help?

This year alone has heralded numerous reminders of how the world’s most seemingly sophisticated organisations are vulnerable when it comes to cyber threats. British Airways being the most recent company in a long line of global brands to suffer as the result of a data breach to its security systems. In this case the airline’s booking and ticketing service was compromised during August 21st to September 5th 2018, putting consumer transactions at risk.

Cyber insurance exists to protect organisations where a data breach occurs, helping the affected company to navigate the financial impact. In fact GDPR legislation updates in May 2018 prompted many businesses to re-examine both their cyber security controls and their protection needs.

Is every cyber insurance policy the same?

In a word: no. Currently there are no standardised frameworks for cyber insurance policies and consequently individual policies vary extensively in their level of cover, and policy restrictions. It’s this lack of cohesion, and confusion over cover limits, that has prevented some organisations from pursuing cyber insurance cover before now.

May’s GDPR rollout however put cyber insurance firmly back in the spotlight. Under the new data protection rules companies now have 72 hours to alert regulators if a security incident occurs or face hefty penalties. A move that saw a spike in online searches for cyber insurance policies ensue. Unsurprising when you consider that 22% of independent small businesses reported a data breach in 2017 according to the ABA Legal Technology Survey. Rising from 14% in 2016 respectively. In fact figures such as these only demonstrate the increasing need for adequate cyber insurance to protect an organisation’s interests.

How do I know the level of cyber insurance cover I need?

As cyber insurance policies can differ so greatly in scope the first thing you need to get to grips with is the specific risk facing your own operations. By which we mean assessing everything your organisation stands to lose in the event of a data compromise. Only once you do this can you fully appreciate the consequences of a data breach to your business.

Data records are an integral business asset, in much the same way as tools are to a tradesman. So in calculating your cyber insurance coverage you need to assess your information systems and create an inventory of the valuable records your business holds on file.

Some example data files, commonly held by companies, include:

  • Employee personnel records
  • Customer payment information
  • Postal addresses and telephone numbers
  • Medical records
  • Supplier or manufacturer details
  • Sensitive research, patents or blueprints
  • Accounts records

Once you’ve outlined all of the data on your systems you need to create a risk profile determining what the financial cost of losing this data would be. Don’t forget your policy has to ensure your entire company interests are protected so take time to conduct a thorough 360-degree assessment of your information and information systems.

One approach is to categorise your data by its risk level, using aHigh/Moderate/Low labelling system. At this stage engaging a qualified cyber insurance broker is highly advised. Not only is a broker competent at creating company risk profiles he or she will also be better qualified to quantify the value of your data records too.

The true cost of replacing lost or stolen data records

It’s estimated that for every 10,000 or less records compromised in a data breach the cost to an organisation is$5.9mn (£4.5mn),$200 or £150 per record on average. But these estimates fail to take into account other costs a business is liable for in the aftermath of a cyber hack.

Trading losses, PR responses and regulatory investigations are just some of the additional cost implications in addition to the number of records lost. Not forgetting any legal defence expenses and enforcement fines, which can also send the total net cost of a data breach soaring. To this end having a cyber breach response-plan can help to mitigate some of these unavoidable costs. This plan should (at a minimum) include keeping a legal team on retainer, conducting intermittent credit monitoring and agreeing a customer communication strategy in advance.

Questions to ask when comparing cyber insurance policies 

In order for a broker to guide you towards the correct cyber insurance policy he or she will need to establish where the vulnerabilities in your operations lie. Along with the consequences (financial, reputational, and otherwise) of a potential hack to your data records.

As part of this process it may be beneficial to reassess your existing data handling practices, including who can access information stored on your systems, together with your existing cyber security software. All of which can directly influence the price of the premium offered to you.

Some helpful questions to ask insurers when comparing cyber insurance policies include:

  • Does the policy cover breaches made by an employee?
  • Are breaches to third party data cloud storage facilities included?
  • Are there any geographical restrictions?
  • Will security breaches that occurred pre the policy start date be covered?
  • Can I lower my premiums by improving my security safeguards?
  • Are PCI-DSS affected breaches included as standard?
  • Am I covered in the event of a physical data breach?

While the above list is by no means exhaustive it does demonstrate the complexity of navigating cyber insurance in an age where tackling online crime is becoming increasingly challenging. Particularly in the case of multinational businesses whose operations expose them to a wide variety of data handling laws across multiple territories.

It’s also worth bearing in mind that not all cyber insurance policies will offer both first party and third party levels of protection, nor will the terminology of any two policies be like for like. So to avoid a lapse in cover it’s advisable to engage a broker who can help you navigate this complex insurance marketplace. Something covered in greater detail in this BluedropServices Cyber Insurance Guide.

Written by Doug Kelly, Director of Bluedrop Services, where he advises on specialist insurance.