An Uber risk in an increasingly digitised world of commerce and industry - how to manage your cyber exposure through insurance.
In the wake of yet another high-profile cyber security incident, this time involving the global private taxi company, Uber - it would appear that no sector or industry is immune from the incessant onslaught from cyber attacks, which in recent years have included those against energy providers, airlines, universities, food producers and even law firms. Now, a global tech company whose IT security and firewalls were ostensibly robust and which should have been impenetrable to all but the most sophisticated and talented of hackers has been compromised, resulting in the possible exposure of customer and supplier data, along with other business-critical information, that could be extremely damaging and costly for the company to rectify. A company like Uber is always going to get more attention for suffering this type of incident. But it would be a mistake to think this is a problem confined to the largest, or most high profile, of businesses. Cyber-crime is big business, and the increasing availability of hacking tools as a service means that any business could find itself the victim of an attack. To help you better prepare for the possibility of a cyber attack, we have put together this guidance note below that explores and explains some of the basic legal principles around cyber insurance that you will want to consider to protect your business, your customers and your relationships with third parties.Sign up to receive insurance updates >
What is Cyber Insurance?
Cyber insurance is a special type of insurance designed to protect individuals and businesses from internet and cyber (or digital) risks. Cyber risks include risks relating to:
- Information (or data) privacy
- Information technology (IT) infrastructure
- Information (or data) governance
Cyber risks are not usually covered under most standard commercial risks and general insurance policies, so whatever industry you're in (it doesn't just affect and impact digital, tech or online only businesses), it's worth researching and considering your options in relation to cyber insurance cover.The most common type of cover is what is known as 'First Party' cyber insurance, which is intended to cover loss and damage to your business resulting from:
- Hacking
- Theft
- Data destruction
- Extortion (ransomware)
The second type of cover is known as 'Third Party' or 'Liability' cyber insurance, which covers loss and damage suffered by other parties due to:
- Errors
- Omissions
- Defamation
- Failure to safeguard Personal Data or Commercially Sensitive Information
Third Party cover usually incorporates a number of additional benefits which can include:
- Regular security audits
- After incident public relations management
- Investigative expenses
- Criminal reward funds
Why do I need Cyber Insurance?
To protect your business in the event of a cyber threat or cyber incident caused by malware or ransomware directed towards your operations. As the world becomes more digital by the day, many of our clients are experiencing an increase in the number and frequency of cyber risks, cyber incidents and cyber attacks. With such threats continuing to advance and become more sophisticated, many businesses across all sectors are choosing to buy cyber insurance products that are often offered with IT security services to protect their day-to-day business interests.Our clients need to ask themselves, what would happen if your computing systems, company servers, accounting software, stock and product management software, customer databases and/or supply chain management records and systems were suddenly taken out of use or compromised in some way that prevented you from doing business, potentially for days or even weeks.Your current insurance may cover certain issues related to cyber risks, but it's probably not comprehensive. Even though many insurance companies are enhancing their coverage to include cyber events, if you want to be completely covered for anything related to cyber, it's wise to purchase cyber insurance specifically. Cyber insurance is important because it not only covers your business, but it also helps your customers and clients. Cyber insurance adheres to regulations that require businesses to notify their clients in the event of a data breach involving personal information. In addition, cyber insurance policies can provide compensation for legal fees. Cyber insurance has many benefits including the protection it offers for large security breaches, the recovery it provides for major losses, and the service it administers to businesses to help them return to normal after a cyber event. Cyber insurance takes pressure off the government to provide aid for businesses who suffer from a cybercrime. Cyber insurance also brings an element of fairness to the table. The cost of premiums are balanced with the size of expected losses. A huge company that is more at risk for a cyber attack will pay a higher premium than an owner of a small tech platform who is just getting up and running, for example. Even if you otherwise have a full suite of insurance products in place, you may not have the business interruption and response management cover you think you have in the event of a large- scale cyber incident or attack. This is something that you will need to check very carefully and possibly take specialist insurance law advice on.
Stats on Cyber Attacks in the UK
One Small & Medium Enterprise ('SME') in the UK is successfully hacked every 19 seconds, according to Hiscox. There are (conservatively) around 65,000 attempts to hack SMEs in the UK everyday and about 4,500 of these hacks are successful. This means that cyber threats and cyber attacks affect 1.6 million of the 5.7 million SMEs in the UK each year.The Cyber Security Breaches Survey conducted a study of UK businesses and the cyber security issues they encounter. Nearly 50% of businesses and around 25% of charities have reported cyber breaches or cyber attacks in the last year, and 22% claim they experience these cyber attacks at least once a week. Many of the companies that reported cyber security breaches also experienced a rise in phishing attacks, but a decrease in viruses and malware.Among the 50% of businesses that reported a cyber breach or a cyber attack, one in every five experienced material loss; they lost money or data, or both. Two in every five were impacted negatively, meaning they experienced business disruptions and interruption or complete cessation of trade for a period of time. These companies needed to implement new security measures and many dealt with a shortage in staff during the aftermath. These impacts are in addition to the reputational harm that such an incident can have on your business's standing with customers, users or other stakeholders.A bit of good news: this survey discovered that businesses and charities in the UK experienced a quicker recovery after a cyber attack in 2020 compared to a cyber attack in 2017. This shows that businesses are becoming better prepared and better insured in case of a cyber security breach.In 2020, the average cost of damages from a cyber attack for a small business was £3,230 per incident or loss. The average cost in damages for medium and large businesses was £5,220. According to the study, every year since 2016, businesses and charities in the UK have enhanced their knowledge of cyber attacks, increased their cyber security measures and carried out cyber security risk assessments. But as defenders' knowledge has improved, so too have the cyber attackers and hackers become increasingly sophisticated and complex in their methods and tactics to penetrate firewalls and security systems. The risk of a cyber attack or incident has not gone away, but continues to evolve and present fresh challenges.
Am I covered for a Cyber Event or Cyber Incident?
The simple answer depends on the type of insurance you hold. Read your policy and do your research to discover what exactly your insurance includes. Ask your insurance company or broker for the specifics so you know which cybercrimes are covered and to what capacity. Check whether the definitions of an incident include the latest threats and attack vectors. It is work checking whether you have First Party cover, Third Party cover, or both.If you already have cyber insurance, you should also understand all the details of your cyber insurance policy. Cyber breaches that result in a negative outcome can incur significant loss, so make sure you know the ins and outs of your insurance plan, so you won't be surprised in the unfortunate event that a cyber attack or cyber incident occurs.It's a good idea to keep up-to-date with cyber security issues, how they are developing and changing because it affects your business. Many companies need to implement audits and purchase cyber insurance. At the time of the survey in 2020, 50% of companies in the UK had carried out an audit and 32% were covered with cyber insurance. This is a figure that we anticipate will continue to grow in light of the continuing stream of news stories about cyber-incidents such as the recent attack on Uber.[ela_accordion]
Why we are the right firm to help you
Freeths can help your business with legal issues surrounding cyber risk and insurance, including but not limited to:
- the range of potential cyber risks applicable to your business
- what your current cyber insurance coverage provides
- any limits of indemnity (caps on the amount you will receive in compensation or reimbursement in the event of a catastrophic cyber event or incident)
- any under or over insurance and what steps you need to take to address this
- what steps to take with your broker and/or insurer to ensure that you are fully protected
- support in relation to the cyber insurance claims process and any coverage disputes and/or quantification (valuation) of loss issues with your insurer
- arbitration and litigation to contest and/or enforce your insurance law and contractual rights
In addition to the above, Freeths can advise your business in relation to good data governance and establishing robust privacy and information security policies in order to mitigate the risk of cyber attacks and data breaches. We can also support you in aftermath of a data breach or cyber incident: in relation to engagement with the ICO or other regulators, responding to any third party claims you might have against suppliers or others who exposed your systems to risk, and/or claims that are made against your business by your customers or other affected individuals.We know that professionals such as bankers, insurance brokers and accountants often play a significant role in guiding businesses through cyber security issues as well as lawyers. Business owners tend to start thinking about cyber risks during tax returns, audits, upgrading operating systems and switching to the cloud, but there is no time like the present to address any queries or concerns you might have in relation to your cyber insurance or commercial risks insurance cover. Whatever your need for cyber risk management, legal advice and support, we can help.
For all enquiries, please contact Nick Sutton, Partner in the Commercial Dispute Resolution team on 0345 077 9567 or email nick.sutton@freeths.co.ukSign up to receive insurance updates >Disclaimer: this article is not intended to be legal advice and serves as a guidance note to inform clients about some of the cyber risks and insurance issues that might arise in the course of your business, in respect of which specific legal advice should be sought
The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.