Compare Cyber Insurance For Businesses

At The Insurance Octopus, we source tailored policies that are built around your business and your needs. As such, there is no set price for a cyber policy, although they tend to start at around £182 a year. Because we tailor our policies based on the level of coverage you need, the risk your business faces and your annual turnover, you can rest assured that you’ll have everything you need but won’t pay a penny more. Included in the price is cover against breach costs, hacker damage, privacy protection, cyber business interruption, cyber extortion, and media liability. Remember, investing in cyber insurance provides great value for money – cyber incidents can be costly and you could face huge consequences, all of which cyber insurance can protect you against. 

Inevitably, as the dependence on technology continues to grow, so too do the number of cyber incidents, and therefore the number of cyber insurance claims. The reasons why businesses need to make a claim can vary from attacks to employees simply not paying attention. Here are just some of the most common cyber insurance claims that we see here at The Insurance Octopus:

• Human error
• Ransomware
• DDoS attack
• Phishing
• Misleading communications
• Impersonation
• Unauthorised access
• Data breaches
• Malware
• Viruses
• Rogue employees

As you can see, cyber incidents and attacks can happen in many forms – it’s important to understand the risks, mitigate them, and protect yourself with cyber insurance.

When larger corporations fall victim to cyber criminals, these cases are often high profile and hit the news in no time. As a consequence, many small businesses get complacent and are under the illusion that they are too small to be a target. However, that couldn’t be further from the truth – cyber criminals still target small businesses. Any sensitive data, such as email addresses and payment details, are highly sought after by cyber criminals, and small businesses often don’t have the measures in place to protect this information from an attack. As such, they can become an easy target.

Now more than ever, cyber security is vital for several reasons. Firstly, cyber incidents are more commonplace than ever, so it’s important to protect your business from the threat. Secondly, without cyber security, you could lose crucial data, bringing your business to a halt. Thirdly, not only could you lose data, but you’ll also lose credibility, reputation, trust from customers and money. Regarding the latter, reversing the effects of cyber incidents can be costly, as are the penalties you could face from regulatory bodies. In fact, these penalties are so significant that they cripple many businesses.

Cyber insurance, also known as cyber risk insurance and cyber liability insurance, is a policy that helps protect businesses and organisations of all shapes and sizes from the potential fallout of cyber attacks, network attacks and hacking threats. Having this in place can help reduce business disruption during a security breach and afterward, as well as help to cover the financial and reputational costs associated with such an event. Recovery can also be an overwhelming and financially difficult situation to deal with alone; therefore, finding a policy that comprises backup solutions and restorative processes is always a good idea.

However, there are certain aspects that a cyber insurance policy can’t protect against, and it’s key that every business ensures it understands what is and isn’t covered before they sign a contract. While having some form of cyber insurance in place can help a company should a cyber attack occur, the business is still responsible for managing its own cybersecurity and ensuring it has processes in place that keep its online practices secure.

As the National Cyber Security Centre states in its guidance: ‘’Cyber insurance will not instantly solve all of your cybersecurity issues, and it will not prevent a cyber breach/attack’’. This is up to you, as the business owner or chief security officer – otherwise, you could be in breach of GDPR and your own industry regulations.When it comes to who may need cyber liability insurance, any business that has an online component or stores electronic data could benefit, as could any company that depends on technology for its operation. Personal data such as customer contact details, staff information and sensitive financial data could all be hacked maliciously by cyber criminals and sold on for big money. There’s also the possibility that cyber hackers could cripple a network with ransomware. You may think your business may never fall foul of this, but you’d be surprised how often small businesses are virtually broken into and how much can be lost. That’s why a cyber insurance policy is so important, to ensure your losses are minimal, and that everything is taken care of should the worst happen.

Through our cyber insurance here at The Insurance Octopus, you can protect your business against a whole host of security risks, such as:

• Data breaches – We source extensive support for hacks and accidental loss of data, ensuring that your reputational damage is minimal, and that your clients are kept secure.
• Business interruption insurance – Should damage caused stop you from earning an income – for example, because your website becomes inoperable and therefore trading has to halt from your online platform – then your insurer can cover any loss of income, therefore not hindering your financials.
• Cyber extortion – This is the act of demanding extensive payment through data compromise or a denial of service attack. Your insurer can cover any pay out you are being extorted for.
• Hacker damage – If a hacker causes you loss by either damaging, destroying, altering, corrupting, or misusing your website, intranet, network, computer systems or data that you store electronically, or steals it, then your insurer can provide you with restoration support, as well as compensation for any losses.
• Crisis containment – We know that damage is far more lasting from a reputational point of view if data breaches, unauthorised access and hacks are not handled correctly. Our strong relationship with a leader in public relations can help you to appropriately address any unexpected issues, ensure the necessary damage control occurs and that your clients and key stakeholders have all the information they need to rebuild their trust in your capabilities.

Also covering privacy protection, media liability and other useful insurance policies, our sourced cyber insurance solutions are as extensive as they are useful.

Due to the variety and severity of cyber attacks, we can research cover for the majority of security breaches, such as:

• Malware: This is any type of malicious software created to exploit any programmable device, network of service, and it is typically used to extract key data that cyber criminals can leverage over businesses for great financial reward. What this key data is will vary from business to business, but it often pertains to personal information, such as client data, healthcare records and credit card details. Should this fall into the wrong hands, the misfortune that can befall the data owners could be detrimental. 
• Phishing: A phishing attack is where a cyber criminal attempts to trick a company into handing over their key information – for example, passwords, credit card details and intellectual property. Common phishing attacks include emails pretending to be from legitimate organisations, such as your bank.
• Man-in-the-Middle attack (MitM): This is where a cyber hacker intercepts the private conversations and communication of two parties to effectively spy on them both, steal private information or even alter it in some way. 
• Distributed Denial-of-Service (DDoS) attack: This is where a hacker completely floods a server with traffic to disrupt it, potentially even bringing it down.
• Structured Query Language (SQL) injection – Specific to SQL databases, this cyber attack uses SQL statements to query data, exploit the HTML of the website and modify it with malicious intent.
• A zero-day exploit: This is where cyber criminals learn of a specific vulnerability in industry-wide applications or operating systems, which they then exploit to target the businesses that use them.
• Cryptojacking: A cyber threat where a user’s device is compromised to mine cryptocurrencies, such as Bitcoin, Ethereum and Tether. What’s particularly bad about this is that a hacker could be using valuable network resources to mine a cryptocurrency without your business having any knowledge of them doing so.
• A Drive-by Attack: This is an internet-based risk where an unsuspecting victim visits a website, which then infects their device with malware. The website may have been hacked by a cyber criminal and has therefore been compromised.
• A password attack: Impacting not only business owners, but also clients that may have logins to your website, this is where a cyber criminal cracks passwords to gain access and potentially wreak havoc.

Eavesdropping attack: This is a security breach where an attacker searches for unsecured network communications to intercept and then access data being sent throughout the network. If you’ve ever been asked to use a virtual private network (VPN) when accessing the business network from an unsecured public Wi-Fi hotspot – this is why.

As the National Cyber Security Centre states: ‘’Cyber security’s core function is to protect the devices we all use (smartphones, laptops, tablets and computers), and the services we access – both online and at work – from theft or damage. It’s also about preventing unauthorised access to the vast amounts of personal information we store on these devices, and online.’’ Because the prevalence of cyber threats is ever-growing, it’s key that businesses put processes in place that reduce potential damages and the fallout from this. Ways to prevent cyber attacks include:

• Train your employees to recognise fraudulent emails: Providing your staff with the right training to detect emails that impersonate known individuals asking for personal information or files will ultimately save your business a lot of hassle. For example, getting them to verify email addresses, check links before clicking them and use common sense when disseminating company information are all key.
• Keep systems and software up to date: Many cyber attacks occur due to outdated programmes allowing hackers to exploit weaknesses within and gain access to your networks. Patch management is one way to build up resilience.
• Ensure endpoint protection is secure: Endpoint protection covers networks that are remotely connected to devices. However, mobiles, tablets and laptops that are connected to corporate networks provide access to security threats. Endpoint protection software can assist with this.
• Install a firewall: Placing your network behind a firewall is one of the most effective ways to protect your business from a cyber attack. Firewall systems block any forced attacks on your systems before they do any damage.
• Run a data backup: To avoid downtime, data loss and big financial losses, backing up your data can ensure that clients, customers and business practices are protected and that business interruption is minimal.
• Optimise password safety: Using the same password for all related business accounts is never a safe bet. If a cyber criminal figured out your password, they’d then have access to all your systems and applications. Using a range of strong passwords for every account boosts your security, and regularly updating them will help maintain your business protection.

Have a cyber insurance policy in place: An extra layer of protection should the worst happen – this cover can secure your operations against various cyber threats and help reduce financial losses and reputational damage. Offering restoration processes, press control and peace of mind, you can make a potentially stressful situation far more manageable, as well as maintain trust from clients, customers and key stakeholders. Our cyber insurance policies are as varied as they are beneficial, and we encourage you to speak to one of our insurance experts today to learn about our options.

Taking out a cyber risk insurance policy may require you giving information about your current security measures. This could include both technical, human and procedural safeguards that you actively promote across your organisation, and collating this information could require detailed input from IT teams within your business – or beyond it, should this be an outsourced function.

 For business protection, it’s key you determine what functions need support, identify what security threats must be addressed and what must not be allowed to happen. Even if your insurer has a minimum cyber security requirement, it may still not be enough to protect your business. For extensive detail on this, the National Cyber Security Centre has provided guidance on how to mitigate and manage cyber risks, and this can be found here.

 What’s more, many insurance companies provide discounts should your company already have reputable cyber security defences in place – for example, Cyber Essentials, or Cyber Essentials Plus. Cyber Essentials looks at patch management, boundary firewalls and internet gateways, as well as malware protection, secure configuration and access control to ensure weaknesses can be identified and security features recommended for better business performance and protection. Cyber Essentials Plus has all the benefits of the former, but also includes a technical verification from a trusted security professional. At The Insurance Octopus, we’d highly recommend a defence process is put in place, and that you regularly check this to ensure continuity. Making your insurer aware of this too may also reduce your premiums too.

 Beyond lowering your insurance premium, having a scheme such as Cyber Essentials in place also shows your customers, stakeholders and business suppliers that you understand the importance of cyber security, have put measures in place to monitor this, and that you have gone beyond cyber insurance to prevent issues before they even become them.

What may also be relevant, is that some companies who reach Cyber Essentials status can also be offered cyber liability insurance as part of this certification via the IASME Consortium. This can therefore protect your business at every level, and provide cost savings too. At The Insurance Octopus, we would however remind you to check this policy will cover your needs completely, as a more tailored cover may be what’s best for your business.

First things first. You need to have a policy in place that covers you fully, taking into account both evident and potential network attacks and cyber threats that could hinder your business. At The Insurance Octopus, we know that every business is different, and cyber threats could come from varying points, and that’s why we take the time to understand how your business may be impacted, and the level of cover you may require. Even through our cyber insurance quote form, we ask questions around client records and your cyber limit needs, ensuring our clients adhere to GDPR and related regulations surrounding cyber processes and the protection of data. It is this approach that ensures you can trust that your cyber risk insurance is the right one for you.

Beyond the right policy, it is good practice to have the following security processes in place to protect you from malware attacks, software flaws, and other such cyber attacks:

1) Using strong passwords throughout your business, and especially when it comes to accessing key tools and client information. You can make passwords tough to hack by:

• Utilising a mixture of capital and lower-case letters, numbers and symbols and making each password at least 12 characters long.
• Updating your business passwords frequently and never using the same ones across multiple accounts.
• Incorporating two factor authentication for key accounts so that only assigned and trusted team members can access them.

2) Control access, by ensuring only authorised individuals can access data, private information, tools and services, via:

• Controlling physical access to your business premises, computer networks and internet connections.
• Restricting access to unauthorised users, and not making free Wi-Fi accessible to visitors unless necessary.
• Limiting what can be sent and received via email attachments and installing error controls should attachments trigger concerns.

3) Put up a firewall, to help protect your devices from internet-borne threats, such as viruses and malware. Checking your firewall devices fairly regularly and ensuring they have the most recent software updates installed is also key here, otherwise they may not be effective.

4) Install security software, such as antivirus, anti-spyware and anti-malware protection software to help identify and remove any malicious code should it enter your network.

5) Update your programs and systems frequently, to help protect against any bugs or vulnerabilities, and continuously monitor them to check for any unusual or suspicious network activity. If a potential security breach is detected, you can receive alerts based on the activity found.

6) Regular training, as every single member of your business has the responsibility to keep it safe and secure. Ensuring they understand best practices, their roles and responsibilities and any relevant security procedures and providing them with regular cyber security training can help to mitigate any risks, and keep your company safe.

It is good practice to reevaluate your cyber insurance policy cover annually to ensure that the policy provides sufficient protection for your business; remember to account for any incidents that may have occurred during the year. While you are completing your review, it is a good time to check that your company’s cyber security measures are up to date and communicated to your insurer. As with all other cover, it’s key that you let your insurer know should your circumstances change so that your business is still protected against cyber threats. Should you ever claim that security measures are in place when they’re not, your insurance company may not have to pay out on any cyber crime insurance claims. This could be detrimental to your reputation, financials and company’s future.

This will wholly depend on your insurance company. Some insurers will offer services that are immediately useful, including legal support, IT forensic services or PR assistance to lessen any reputational damage. They could also put you in contact with a Cyber Incident Response (CIR) organisation, or their own internal cyber response team. 

The majority of insurance companies will look to swiftly restore network systems and data, while also reducing any losses caused by business interruption. For example, due to data breaches, there could be legal action from your customers, clients, stakeholders or suppliers – among other impacted parties. With a suitable cyber insurance policy in place, the defence and claims will typically be covered. If you have a claim you can contact our customer services team on 0161 968 2030 and we will direct you to your insurer.

Policy cover differs from business to business, and your specific requirements, but in general terms, your cyber insurance won’t cover:

• Any potential future lost profits: Cyber insurance will cover money lost during company downtime, but this won’t extend to any future lost profits. For example, if – due to the cyber breach, your year end profit projections will be less than expected, you can’t claim for this. We can however cover business interruption, which is the loss of revenue and additional increase in cost of working because of reputational damage.
• IP (intellectual property) theft: If your IP gets hacked into, and therefore becomes unusable, your insurance likely won’t cover this, or any loss of contracts, lost opportunities, or devaluation of your trade name.
• Upgrades and associated costs: Following a security breach (though we’d always recommend before), you may decide to upgrade your technology and security systems. Here at The Insurance Octopus, we may source cover for resilient improvements – i.e. – the costs to improve resilience of computer systems following a loss, but this may vary depending on your insurer.
• Third party errors: If you use a third party for email services, web hosting, cloud services, customer relationship management or any other business operations, and they suffer a breach which impacts you, this may not be covered. With many businesses using popular platforms such as Gmail, Office 365 or Amazon Web Services, it’s always worth checking your policy document for complete protection.
• Social engineering – for example, where team members or business executives are tricked into sending money to outside accounts (perhaps because they are posing as trusted sources or have hacked into your payment provider) is not usually covered.
• Illness, injury or property damage: Though we here at The Insurance Octopus can offer employer’s liability insurance, personal accident insurance and content’s insurance as separate policies (or under one policy should you require it), the cyber insurance policy itself will not cover this. This may not seem relevant, but consider the following: A manufacturing firm may run on computers to assist with the manufacturing, distribution and shipping of goods, as well as keeping track of sell-by dates. If a cyber attack interrupted any part of this process, it could cause defects, goods to spoil or damage to contents. This knock-on effect could be costly, so we’d suggest having a think about other policies you may need for full business coverage.

Incident response is a key part of your cyber security strategy, and part of the wider cycle of business protection. As detailed by the National Institute of Standards & Technology (NIST), this cycle includes: Identify, Protect, Detect, Respond, Recover. Your incident response plan is related to disaster recovery, and your crisis management, and they all come into play when the incident is momentus enough to cause serious disruption and damage to your company.

According to the National Cyber Security Centre, your incident response plan should include:

1) Key contacts, such as your IT provider, senior management team, your solicitors, digital PR company, HR department and insurance company. It’s recommended that you have at least 2 contact methods and at least 2 contacts for each of these, just in case 1 of them isn’t available.

2) Escalation criteria – Matrices should be developed to identify the seriousness and priority level of an incident, as this can then inform how quickly it needs to be taken care of, and who it needs to be escalated to. As an example, a high or critical severity incident should likely go to the board level, whereas a low priority event could be handled by your IT team.

3) Processes – such as the incident response cycle, which includes:

Analyse: This includes everything from technical analysis through to reviews of any online and offline reactions, so that they can be handled correctly. It’s key that these tasks are prioritised and that any findings are reviewed, as this could lead to new tasks.

Contain/Mitigate: The next step is reduce any impact or fallout from any incidents, and also lessen the chances of them getting worse. This could involve: Blocking access/activity, isolating related systems and resetting accounts and passwords, as well as any media handling. Two key things to take into account here:

• You may need to make critical decisions here regarding key business systems, and the consequences of this.
• It’s possible that your cyber attacker may react badly to actions, and make further attempts to hinder your network security. Therefore, it may be better to monitor and analyse the current situation before taking further action. 

Remediate / Eradicate: This is where you aim to remove the cyber threat from your systems and networks. 

Recover: Once the cyber threat has been contained, and systems have returned to normal, clean systems and data are put back online, and any further regulatory, legal or PR-related problems are handled.

4) Have at least one conference number to hand, and this should always be available to make any urgent calls.

5) Basic guidance on both relevant legal or regulatory needs, and knowledge of when to utilise legal support and your HR department, as well as how to follow guidelines that will ensure you stick within the law. 

Your IT infrastructure is the foundation of all of your processes and operations, and therefore it all needs to be protected. Should you have lots of hardware, this means there’s more that may need to be repaired or replaced, whereas your software may require data restoration. This should all be taken into account when considering how much cybersecurity and cyber insurance you may need. Could you still trade without access to your key systems or website? How would you communicate both internally and externally without email and cloud services? If you accept online payments, how will you protect customer data? Ultimately, what would be the fallout should your business be hacked, and could you afford the legal costs and associated expenses? Having to contact regulators and customers and making them aware of the incident can also be costly and time-consuming, and not an easy thing to have to do either.

Whatever you decide, we here at The Insurance Octopus know that without cyber insurance, a cyber attack will cost you money, but how much is another story. A cyber insurance consultant can help you to understand how much cover you may require based on your current operations and the potential costs that a network attack could cause.

According to Beaming, via IT Pro, UK businesses each faced on average 686,961 attempts to breach their systems in 2020, and this was the busiest year for cyber attacks. This rise in attempted cyber attacks can be attributed to COVID-19, and the shift to remote working. Even big businesses – such as Nintendo, Twitter, EasyJet and Zoom suffered at the hands of cyber criminals, and there’s much we can learn from this, such as:

1) No business is safe and any business, of any size can be subject to cyber attacks or threats to their cybersecurity. Even the most seemingly secure companies can be taken advantage of – whether through network attacks, spear phishing attacks, IP spoofing attacks or security flaws.

2) Testing your systems and processes often is key. Attackers will always be searching for misconfigurations or flaws that provide access, so it’s up to you to find those vulnerabilities first and protect them.

3) Staying up to date with software updates and hardware upgrades is key, as older systems can easily be exploited, and may be harder to recover data from too.

4) How vital cyber insurance is, and how much money it can save you, along with the reduction in stress knowing there is a trusted company by your side that is there to support you, no matter what.