Dear Doctor, as a fast-growing tech startup, we’re holding an increasing amount of customer and employee data. Can insurance help us in the case of a data breach or cyber-attack?
You’re right to be concerned. As a digital business, you’re a prime candidate for a data breach or cyber-attack, with the latest Government Security Breaches Survey showing that a third of small organisations were affected in 2015.
A data breach can have serious repercussions for you and your customers’ reputations, not to mention the cost of any legal fees, compensation claims and notifying those affected. As a startup these impacts could be crippling, damaging your reputation before you’ve even got off the ground.
Even with the best technology and security measures in place, most would agree that you’re still not immune to a breach. Which is why cyber insurance is so important, ensuring you’re in the best position to respond to and recover from an attack, if the worst does happen.
Before investing in cyber cover, bear in mind that policies vary significantly, so be sure to seek cover from a cyber insurance specialist to make sure it meets your requirements. Some key aspects to look out for include:
- The Information Commissioner’s Office (ICO) can give fines of up to £500,000 for breach of the Data Protection Act. A good cyber insurance policy will cover notification costs, legal fees defending regulatory action, and in some cases the penalty itself (where this can legally be insured).
- Cover for your out-of-pocket expenses, which could include system repair costs, lost income while the system is down, or even ransom payments to hackers.
- Cover for your website, blogs and social media, for copyright or trademark infringement, or defamation etc.
Alongside financial considerations, some cyber insurance policies can also offer an immediate response plan and external expertise as part of your cover. A quick response can make a crucial difference – with media, customers and other stakeholders judging you on how you react.
A first-response package can include a number of elements:
- A lawyer, whose job it is to take over and manage the response.
- A PR company who will advise on drafting media statements and handle all external communications about the breach.
- An IT forensics expert to work out exactly what happened, in order to rectify the problem quickly and ensure it doesn’t happen again.
- A customer call centre to field any customer questions or concerns.
- A credit monitoring service to track what sensitive details are available on the internet as a result of the breach.
While essential in its own right, it’s also worth bearing in mind that having a proactive and effective response plan in place could mean a lesser penalty from the ICO than if you are insufficiently prepared for a breach.
In terms of the level of cover you’ll require, your exposure is usually calculated on a per-record basis, where for every record you hold there is an assumed cost for all aspects of the cover in the event of a breach. Insurers will also be interested in your network security arrangements, so make sure you disclose all this information correctly to ensure you’re fully covered.
Also make sure you stay up to date with the insurance protection you require over time. With new technology, emerging cyber threats, and your business evolving at such a pace, just renewing the same policy as last year could leave you with holes in your cover.
Finally, it’s also worth noting that new data protection regulation coming into force in 2018 means the potential impacts of a breach will become even greater. As well as increased compliance requirements, the new rules will give customers greater powers to take legal action in the case of a breach. Fines are also set to increase to as much as €20m – so make sure you’re prepared in advance!
Digital Risks (www.digitalrisks.co.uk) is a specialist insurance provider that focuses 100% on the needs of digital businesses.