How much does a cyber insurance policy cost?
High profile data breaches, ransomware attacks and cyber crime have raised awareness of cyber risk and has led to an increase in demand for cyber insurance. However, there are some varied cover offerings in the market and this can lead to confusion. Of equal importance is the cost of the insurance when looking at business budgets, so I'll try and explain the main factors that come into play when arriving at a premium.
Firstly, with any non-compulsory insurance like cyber, there is a basic business choice of whether to bear the risk as an organisation, or transfer the risk to a third party by way of a cyber insurance policy. Often two factors are considered; the cost of the policy measured against the potential perceived risk. With cyber insurance, there can be an indifference to the purchase of cover as it is still a relatively new and emerging threat to business. A company will have a feel for the risk of say a motor accident or a fire and will therefore purchase insurance protection, but with cyber the risk is less tangible, and hence, if an organisation has not experienced the impact of a cyber incident, there may be a "it won't happen to me" mentality.
However, a cyber insurance policy carries many benefits and can be a cost-effective solution to protect a company's balance sheet against cyber security breach. If cyber insurance is purchased, it will minimise the financial impact of a systems breach and remove uncertainty. Without a policy, there remains an uncertainty that a cyber attack could happen which could impact on the company's profits.
Generally, a cyber policy will include a combination of 1) first party covers; incident response, IT forensic costs, PR and breach notification costs, ransomware, network interruption, computer crime and 2) third party covers; civil liability for breach of confidential information and regulatory defence costs under the General Data Protection Regulation (GDPR).
So turning to cost, what factors do insurers consider when arriving at a price?
1) Turnover - Insurance underwriters require a guide to the size of the company and the best financial indicator and therefore the number they use, is the annual turnover. It follows that a larger company will be involved in more online traffic, more electronic transactions and have more revenue at risk and therefore premiums will vary in line with turnover.
2) Cyber Security Risk Management - Whilst this is more of a factor that governs the general acceptability of the risk to insurers, an underwriter will require information on the measures in place to prevent a cyber attack and minimise impact. Businesses who follow best practice guidelines with respect to cyber security are more attractive as an underwriting proposition and will attract better value rates. Like any form of insurance, the underwriter expects a level of risk mitigation to be in place. After all, you would not expect to obtain theft insurance with no locks on your doors and windows. Similarly, you would not expect to obtain cyber insurance if you have no firewall or virus protection.
3) Data - The amount of personal identifiable information held by the business on their systems and the type of sensitive information held is a key factor. The more information on record, the larger the potential number of affected data subjects in the event of a data breach. As mentioned, cyber cover will include notification costs and statutory defence costs under GDPR and also civil liability cover against actions by third party data subjects. The number of records and their nature is therefore of interest to the underwriter.
4) Sector - Whilst the majority of business sectors will attract similar cyber insurance rates based on turnover, certain sectors will require specific underwriting and may attract higher rates. These tend to be businesses who hold large volumes of personal data, sensitive data or are involved in a lot of online traffic and/or financial transactions. Examples include financial institutions and the healthcare sector.
5) Indemnity Limit - Like liability insurances, there are different levels of premium depending on the policy limit selected. Indemnity limits can range from £100,000 up to £5,000,000 and above depending on perceived exposure.
6) Claims or loss experience - In common with any other insurance, if there have been previous claims it can impact on the premium.
7) Cover options - There are variations in types of cover, but most insurers will have a core package price which should include some cover for incident response and data protection liability. Depending on the insurer, some covers may be available as optional extras and will attract additional premiums such as cyber business interruption and electronic funds transfer fraud.
SO HOW MUCH DOES A POLICY COST?
For a policy covering incident response, and data protection/cyber liability prices start from around as little as £250 for a small organisation with a modest indemnity limit of say £100,000 or £250,000. Premiums then increase in line with the turnover of the organisation and/or the selected indemnity limit and/or optional covers. Generally, premiums will be in the thousands for companies with higher turnovers and higher indemnity limits but do vary depending on insurer and sector. To get a bespoke price, contact us and we can tailor the product to your organisation depending on your risk and your needs. Ring us on 0191 3000220 for a free consultation.
John Baty ACII - Director - Cheviot Insured