What is cyber insurance? A guide for small businesses and the self-employed

While cyber insurance is a relatively new worry for businesses, it’s not one that should be overlooked.

• Best invoice app for small businesses
• Making Tax Digital: what small businesses and the self-employed need to know
• What is IR35? A guide for the self-employed
• How much business insurance do I need?

The internet’s opened up lots of opportunities for businesses all over the world – but it’s also opened up the possibility of suffering a cyber attack.

With hackers and criminals using more and more sophisticated techniques, most modern businesses that operate online should think about cyber insurance (if they don’t have it already).

Cyber insurance – what is it?

Technology is always evolving. A huge chunk of our lives is now carried out online and businesses need to adapt to the risks this poses.

As consumers expect businesses to handle their information responsibly and tough regulations promise heavy fines for breaches, cyber insurance can help protect businesses against the threat of a cyber attack.

Which businesses should consider cyber insurance?

Any business that relies on computer systems and the internet is open to cyber attacks and should consider cyber insurance.

Think about cyber insurance if your business:

• relies on computer systems and online software
• has sensitive data about customers or employees, like names, addresses and financial information
• has a website
• has a payment card industry (PCI) merchant services agreement in place

What is a cyber attack?

‘Cyber attack’ is a broad term that covers a range of different breaches, including:

• malware
• social engineering
• denial of service (DoS) attack

Malware

Malware refers to software that’s designed specifically to harm data, devices and people.

Most people will have heard of cyber attacks achieved through the use of malware – including viruses, trojans, worms, spyware and ransomware.

Example of a malware attack

The WannaCry ransomware attack in 2017 spread to 150 countries and affected organisations as diverse as Honda, FedEx and the NHS.

The malware infected computers and encrypted data, with the attackers demanding a ransom of around \$300 to unlock.

Social engineering

This is a broad category of cyber attack. It usually involves manipulation and social interaction, giving attackers access to sensitive data, information and accounts. It includes:

• phishing – you might’ve heard about (or even experienced) this sort of attack already. Here attackers send a genuine-looking email claiming to be from an institution like a bank or phone company, with the intention of stealing personal and financial information
• baiting – attackers may exploit a target’s curiosity by leaving physical media like USB sticks lying around in conspicuous areas. Malware then gets installed onto the victim’s computer when they plug the device in
• scareware – this scares victims into installing malware that infects their computer. The attack can come in the form of fake ads telling the victim their computer is infected and that the malware will clean their system
• waterholing – here attackers target a particular group by looking at which websites the group use the most, then infecting those websites with malware. Eventually a member of the group will be infected

Example of a social engineering attack

In 2017 The Register reported that as many as seven in 10 UK universities had been a victim of a phishing attack.

A freedom of information request led to seven universities disclosing they’d been targeted “more than 50 times in the 12 months prior to November 2016”.

Denial of service (DoS) attack

A denial of service (DoS) attack targets a particular network and stops its intended users accessing it. The attack usually achieves this by bombarding the network with lots of traffic or information that then causes a crash.

Example of a DoS attack

In 2015 all of the BBC’s websites were knocked offline in a DoS attack. A subsequent BBC News report said a group called New World Hacking attacked the websites as a "test of its capabilities".

Your data liability – what data breaches could you be fined for?

The ICO say a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”

Data breaches can result in a heavy fine. Under the GDPR rules for businesses, fines for non-compliance are higher than under previous regulations.

Businesses in breach are liable to a dramatic increase in fines, with penalties reaching an upper limit of €20 million or four per cent of annual global turnover, whichever is higher.

Businesses have a responsibility to report personal data breaches within 72 hours of becoming aware of the breach. If you need to notify the ICO about a breach and don’t do so within the appropriate time frame, you could be fined up to €10 million or two per cent of your global turnover. The fine can be combined with other corrective powers.

Cyber insurance – what software is available?

While cyber insurance can be an important cover to add as part of your business insurance policy, it’s also necessary to take all the right steps so you don’t fall victim to a cyber attack in the first place.

One of these steps is to have software installed on your systems to prevent cyber attacks. There are popular products out there from well-known names like McAfee, Panda and Avast.

Make sure you’re looking at business-standard products, because businesses working with lots of devices and multiple users are more open to vulnerabilities.

Check out our guide to the best antivirus software for small businesses.

How to get a cyber liability insurance policy

There are lots of providers out there that offer cyber insurance.

It’s a good idea to shop around and compare policies, making sure the one you eventually go for meets all your needs.

MoneySuperMarket say that some cyber insurance providers will have criteria you need to meet before you can buy:

• threat and risk assessment – this will be a cyber profile of your business, which will show vulnerabilities and what you might be more likely to claim for. It’ll also include the expenses you could incur following a cyber attack
• employee best practice – this will show what you have in place to monitor systems and alert employees if there’s a threat, for example your antivirus and threat scanning software. It could also involve proving you’ve educated and trained employees on the risks and how to minimise them

Questions to ask when buying cyber insurance

When looking for cyber insurance, make sure you check all the same kind of details you’d usually think about when buying a policy. You should also consider specifics around cyber insurance too:

• will your provider be able to offer immediate support in the event of a cyber attack?
• will you be covered for both targeted attacks on your business as well as wider attacks you’re caught in?
• will your policy update automatically as new threats appear?
• will you be covered for mistakes made by employees?
• could you introduce more security to lower premiums?
• will claims affect future premiums?
• is the cover standalone or part of an overall policy (standalone cover can be more comprehensive)?

Are you looking for cyber insurance? Let us know in the comments below.