What is cyber insurance and do you really need it?

broken glass

Cyber liability insurance is becoming an increasingly popular way for organisations to try to protect themselves against losses incurred as a result of a cyber breach. It is forecast that the European cyber insurance market will grow exponentially between 2020 and 2030, doubling in size between 2020 and 2025. On average, growth rates each year are expected to be around 20 percent1. Driving this growth is the increasing reliance on online systems and data as companies embrace digital transformation initiatives and deliver more services and products via online channels, in conjunction with the sheer proliferation of cyber attacks.

Cyber incidents such as ransomware attacks continue to dominate headlines and cause financial, operational and reputational headaches for the companies affected. Last year (2020) broke all records in terms of the sheer number of cyber attacks on companies and governments, and the sophistication of these attacks rose in parallel. Emerging technologies, AI and coordinated cooperation between threat actors led to a level of complexity we hadn’t seen before – one such example being the SolarWinds attack. With the frequency of attacks at an all-time high, and the seeming inability of basic cyber security controls to contain them, for many business and IT leaders it sometimes feels as though a breach is inevitable – no matter what they do.

Small wonder then that many more companies have either already got or are considering taking out cyber liability insurance.

What is cyber liability insurance?

In its most basic form, cyber liability insurance is an insurance policy that protects against some of the fallout of a cyber incident. As well as minimising business disruption and providing financial protection, cyber insurance may also help with legal costs and expenses related to a cyber security or personal data breach – in the UK this excludes covering fines such as those levied under the GDPR.

However, not all cyber insurance is created equal, and different policy providers cover different things. In general, insurance will cover the immediate costs incurred as a result of a cyber attack – for example data recovery, forensic investigations and remediation measures. It may also cover the costs of a legal defence and paying compensation to customers if their personal data has been compromised.

Phishing scams or Business Email Compromise (BEC) are sometimes covered by a cyber insurance policy, but often only as part of a specific policy that relates to BEC.

Some cyber insurance policies will also cover the cost of paying a ransom in the event of a ransomware attack, despite the fact that this is not recommended by the information security industry or law enforcement. However, when compared with the cost of clearing up after a ransomware attack the ransom itself tends to be smaller – hence it being the preferred option.

There are a number of things that aren’t usually covered by cyber insurance – such as loss of intellectual property and brand/reputational damage.

The general advice is to make sure that you know exactly what the policy covers (and what it doesn’t), and that it’s sufficient for your needs before you sign on the dotted line. What is sufficient will depend on an analysis of which of your assets are most critical to the operation of your business and to serving customers. Some insurers are only too happy to help identify this – for a cost.

The NCSC also points out that it’s worth checking if your organisation already has cyber insurance in place as part of existing policies, such as business interruption or property insurance. This might provide some level of coverage, but again it is important to know exactly what is and what is not covered.

Do I need cyber liability insurance?

Every organisation is different, but if your business operates online, if you store or process personal data or if you rely on technology to operate, then you should consider investing in cyber insurance. Which basically means every business out there.

How much does cyber insurance cost?

Like every other type of insurance, cyber insurance costs vary dramatically. The cost is calculated using a number of factors – including annual revenue and number of employees, and the industry you operate in. Some industries – like financial services and healthcare – are more prone to being the target of a cyber attack, hence a policy will be more expensive.

Other elements the insurer will take into consideration are the types of data the organisation typically handles, and existing cyber security controls. If you are deemed to have poor cyber hygiene, or if you have been breached in the past, you will likely be charged more as you represent a higher risk. It therefore pays to have robust cyber security measures in place already, and to be able to demonstrate to your provider that you take a proactive approach to cyber risk management.

Cyber insurance premiums overall have increased in price significantly during the past couple of years – according to a recent report from international insurance broker Howden premiums have increased by an average of 32% year-on-year as at June 2021. Price hikes have been driven in part by sheer number and scope of ransomware attacks, as well as by increases in the number of claims – indicating that many businesses are not as well-protected as they could be against cyber incidents. This is also driving increased vigilance and caution on behalf of insurers who want to know that their clients have taken reasonable steps to prevent a breach in the first place.

What do I need to do to get cyber insurance?

Before speaking to any potential insurers, there are certain things you’ll need to do to prepare for taking out a policy. Firstly, you’ll need a good understanding of the organisations “crown jewels” in terms of systems and data – those you absolutely must protect. Secondly, you’ll need to be able to demonstrate that you have your house in order in terms of the controls and measures you currently have in place. Think of it like car insurance, you have a policy to protect your car against loss and damage, but you wouldn’t leave it unlocked on your driveway with the alarm disabled. Your insurer will also expect you to maintain accurate records of your cyber security controls over time – even after you have insurance, you can’t then decide to cease any further cyber security investments.

Cyber security controls and cyber insurance – a partnership in protection

Cyber liability insurance should not be seen as a replacement for effective cyber security. Rather it is there to protect you should you become the victim of a cyber incident – despite the measures you have put in place. No cyber security defence is completely impenetrable, and cyber insurance can be a useful backup should all else fail. Just don’t make the mistake of prioritising a policy over protection – prevention is always better than cure.

To learn more about effective cyber security measures from norm. get in touch with the team using the form below…

1Source: Statista

Peter bowers

Written by Pete Bowers
Pete Bowers is COO at norm. where he is responsible for the overall operational and financial functions of the business. He also oversees customer innovation and success, and plays a pivotal role in the ongoing development of cyber security and data protection services which deliver transparency and tangible value to norm.’s growing client base.