Cyber Liability Insurance For Charities

by | Oct 5, 2022 | Uncategorized

Cyber Liability Insurance For Charities

Duncan Sutcliffe knows a thing or two about cyber insurance, his company Sutcliffe and Co Insurance brokers has been insuring organisations against the eventuality of a cyber attack for over a decade. Sutcliffe and Co are also behind the £25,000 worth of cyber insurance included with Cyber Essentials. We asked Duncan to give us the lowdown on cyber insurance for charities.

Charities are particularly vulnerable to cyber attack because they often lack resources to provide robust security, modern equipment & staff training. On top of that, charities are reliant upon volunteers who may be using their own devices, personal emails and lack security awareness. Many charities handle frequent and varied financial transactions as well as sensitive data which is attractive to criminals and if breached can lead to regulatory issues and litigation. 

Will our professional indemnity insurance cover data breaches?

Professional indemnity insurance is designed to cover your charity for errors or omissions in the services or advice that you provide. Some professional indemnity, as part of the errors, omissions and negligence, includes some cover for third party loss of data, which means it would cover mistakes which involved losing customer data or sending data to the wrong person. This third party cover is likely to be very limited, and it is usually necessary to have the additional cover of cyber insurance which is far more comprehensive when it comes to a data incident and includes both third and the first party cover.

In recent years, insurers have been told by the regulator to make it clear whether cyber is, or is not covered in policies. If it is covered, it has to be made very clear what it is restricted to, and in many cases, insurers are explicitly saying that there is no cyber cover. Certainly for organisations that  deal with financial transactions and hold a great deal of sensitive data, it is quite common to have an endorsement saying this policy no longer gives you cover for cyber. Insurers want to remove that cover because professional indemnity insurance was never designed to cover cyber risk. It was there to cover professional mistakes, not for the increasing tide of data breach claims. In a nutshell, your professional indemnity gives very limited cover or indeed no longer covers you for cyber incidents and you need a separate cyber insurance policy.

What is cyber insurance?

Cyber insurance is there to cover an organisation in the event of an accidental or malicious data breach or data incident. Sutcliffe and Co have seen claims for all kinds of incidents, malicious or accidental, ranging from viruses to misdirected emails.

What does cyber insurance cover?

A basic cyber insurance policy will cover the technical incident response costs and the legal, regulatory and crisis management costs. This can be compared to an emergency response service. A more comprehensive cyber insurance policy might cover more. Depending on the size of the cyber attack, and the amount of cover you have on your insurance, the policy could pay fines and penalties where legally permissible. It can also cover lost income where the incident stops your services or causes a downturn in revenue. In the event of ransomware, a policy would help with restoring systems and data.

Cyber insurance is included as part of Cyber Essentials for UK based organisations that certify as a whole organisation with a turnover of less than 20 million. This cover gives up to £25,000 worth of liability.

In the event of a breach, the policy holder would immediately be able to ring an emergency helpline. They would then receive the services of a cyber incident response team whose job is to find the problem, stop the problem, and restore their systems and data. They would also receive help from a legal team who would deal with any litigation and regulation issues. This could be anything from a breach of the Data Protection Act, to a breach of contract. Crisis management and PR support would assist them with communications and that might include support to notify data subjects. An example might be the discovery of a data breach that may have compromised clients. The insurance would close the breach, assess the extent of the breach and then notify the clients and the information commissioner. It will then deal with any regulatory and legislative issues. The crisis management team would help minimise any reputational damage.

The Information Commissioner has said that if you suspect you’ve had a data incident you must report it within 72 hours. When you do report it, you’ve got to tell them what’s happened, what you’re doing about it, who may be affected and the scale of it. This can be really difficult. But if you’ve got cyber insurance, you can very quickly have forensic and legal people there who will be able to put together a presentation for the Information Commissioner, telling them who’s affected and what you’re doing about it. The Information Commissioner has also said that in regard to punishments, their view will be strongly influenced by how you respond to an incident, they have also said that if you have Cyber Essentials certification, your punishment will be reduced.

Will it make a difference to my insurance if I have a cyber security certification?

Many professional indemnity proposal forms or application forms now have questions about cyber; they might have an additional questionnaire that comes with it. If the insurer is concerned that risk is too high, they might impose an endorsement on a policy excluding cyber. However, if an applicant can prove that they are lower risk due to a cyber security certification such as Cyber Essentials, that’s instantly answering a lot of questions and providing a lot of reassurance. So in this example, the applicant might be able to keep some cyber cover, or if not, it might enable them to get cyber insurance at a cheaper rate. 

When an organisation applies for cyber insurance, do they have to prove they have mitigated risk?

Anyone who wants to buy cyber insurance has to prove a certain degree of cybersecurity in the same way that with your house insurance, you have to confirm that you not only have a front door, but that door has a certain standard of lock on it. As with home insurance, if you don’t have many valuables, insurers will be happy with a standard five lever mortice deadlock. But if you live in a palace with lots of possessions, then insurers might insist upon an alarm and CCTV. To determine the risk, cyber insurers will take a look at your size and sector of business, your existing security levels, and the amount of data you keep. Insurers like to see firewalls, virus protection, multi-factor authentication and software patching – achieving Cyber Essentials certification ticks most of the boxes that insurance companies expect. They also like a robust backup procedure and regular staff cyber security awareness training.

How much could a cyber attack cost?

Cyber claims come in all shapes and sizes ranging from the inconvenient to the catastrophic and are just as likely to impact sole traders as global firms – the difference being global firms have well resourced defences. Examples of cases that Sutcliffe and Co have seen include ransomware on a school  that cost £60,000, a disgruntled volunteer who made data protection allegations to the information commissioner which cost the charity £5,000 and a virus which infected the IT system of a Hospital and spread to connected medical equipment which ceased to function, to a cost of £3.5m.

For a small charity (with less than 50 employees), a small breach tends to come in at between £10,000- £30,000. A large breach for a small charity could come in at between £60,000 and £80,000, but there have been some huge cases recently. Some of the most expensive breaches recently have involved ransomware.  

The free cyber insurance included in Cyber Essentials would usually cover the costs for a small breach and certainly cover the essential emergency assistance for a breach. A large breach can cost astronomical amounts and any organisation can upgrade their insurance cover to higher limits of indemnity. Most insurance companies will take into account if a charity has certified to Cyber Essentials because Cyber Essentials is shown to reduce the risk of a cyber breach by at least 80%.