Cyber liability insurance from Lucas Lettes & Partners

1. Cyber liability insurance Protecting your organisation Would your organisation recover from a cyber attack? Cyber attacks were big news in 2015, with many high profile news stories about well known brands – and their customers – falling victim to security breaches. But what is not so well publicised is the number of attacks on smaller organisations. According to figures in the Information Security Breaches Survey 2015 – a report commissioned by HM Government – 74 per cent of small businesses suffered a security breach in 2015.That’s an increase of 14 per cent on the previous year. Unfortunately, it’s smaller organisations that more often don’t have the financial resources to recover from an attack, making it arguably one of the greatest risks of 2016. Over records are now exposed every time a UK business suffers a data breach.* is the average number of days a business can be out of action following a cyber attack.* lucasfettes.co.uk Last year, 74% of small organisations suffered a data security breach.* Don’t add your name to the list this year. days10 is the average cost to a small business of its worst security breach of the year.* £75k–£311k 23,000

2. What insurance covers are available? There are a number of ways in which your organisation could be exposed – but there are covers available to mitigate the risk, for example: Multimedia liability Covers the insured company for claims against them of defamation, libel and slander, and unintentional infringement of intellectual property rights such as copyright, plagiarism or piracy. Example claim: Easy Group sought compensation from sixty separate companies who had the word“easy”in their registered internet domain name. In one specific case Easy Group took legal action against easypeople.co.uk and demanded that they pay the fee of £100,000 for its legal costs in pursuing the matter. Network security and privacy liability Covers the liability of the insured company should they fail to prevent the transmission of a virus, or a denial of service attack to a client’s network, or destroy data that has been entrusted to them by a third party, or fail to prevent the unauthorised disclosure of confidential information. Example claims: A supermarket’s point of sales system was hit by external malware, disabling communication between the registers and the inventory machine.The supermarket ran out of stock and had to close until the till system was fixed and stock replenished. A multinational insurance company was punished by a multimillion-pound fine by the UK’s regulator when it lost a backup tape containing the private details of over 46,000 policyholders. An employee’s laptop or USB flash drive is stolen containing your customers’information. Privacy notification costs Covers the legal costs, including postage and advertising, incurred by the insured company in notifying its customers that a network or privacy breach has occurred, potentially compromising customer data. Note: Whilst data breach notification laws do not currently exist here in the UK other than for communication service providers, it is important to consider that companies doing business in the USA (and certain countries within Europe) should be aware of state legislation that requires companies to notify individuals of security breaches involving personally identifiable information.

3. Credit assistance expenses Covers fees incurred by the insured company in the procurement of professional credit monitoring services or identity theft assistance for individuals affected by a network or privacy breach. Example claim: A business services company conducted a mailing project for a customer and inadvertently mailed out approximately 60,000 envelopes bearing account numbers on the outside. It claimed £220,000 for notification and credit monitoring services. Crisis management expenses Covers expenses incurred by the insured company for professional fees in relation to legal advice concerning a media strategy, crisis consulting and independent public relations services following a breach. Example claim: An investment adviser’s chief customer service officer had his laptop stolen.The laptop contained more than 100,000 customer records, including social security numbers. Costs for hiring a public relations firm to restore customer confidence or mitigate negative publicity generated by the incident were £75,000. Forensic expenses Covers fees incurred by the insured company for specialist forensic auditors or investigators who have been retained to conduct a review or audit to substantiate how the breach occurred. Example claim: A travel agency with four locations, £650,000 turnover and 30 staff, experienced three separate data breaches over a three-year period, in which hackers gained access to their computer system. Over 250,000 individuals’credit card and passport details were compromised. £1.2m was paid for the forensic and legal costs in defending the investigation. Electronic data rectification expenses Covers all reasonable costs and expenses incurred to repair or restore the insured’s computer system to the same or equivalent standard as immediately before it was damaged or destroyed by a network security breach. Example claim: A manufacturer had a disgruntled employee delete their entire database. It cost the company £5m in lost revenues and £1.3m to replace the lost data. Cyber extortion Covers the insured company for extortion demands where there is a credible threat to destroy the insured’s computer system or website, or a threat to introduce a malicious code or a denial of service attack. Example claim: A law firm with a turnover of £1.3m and eight staff had its server and client records locked by Ransomware software. It was only able to get the files released after paying a ransom of £50,000 to hackers.

4. Lucas Fettes & Partners Limited are independent insurance intermediaries authorised and regulated by the Financial Conduct Authority. * 2015 Information Security Breaches Survey, HM Government. 43/16 GM004 Talk to us As an independent insurance broker we have access to over 300 insurers and will arrange cover based entirely on your needs and budget. We can also provide impartial advice and guidance on a range of risk management measures. To find out more, please speak to your usual Lucas Fettes & Partners contact or your local office. Berkhamsted T: 01442 866670 E: berkhamsted@lucasfettes.co.uk Bristol T: 0117 989 8300 E: bristol@lucasfettes.co.uk Chichester T: 01243 530450 E: chichester@lucasfettes.co.uk Glasgow T: 0141 248 1620 E: glasgow@lucasfettes.co.uk London T: 020 7413 0999 E: london@lucasfettes.co.uk Manchester T: 0161 973 9101 E: manchester@lucasfettes.co.uk Newport, Isle of Wight T: 01983 522577 E: newport@lucasfettes.co.uk Cyber business interruption Covers the insured company for loss of business income directly following a network security breach that results in a total or partial interruption to the insured’s computer system. Example claim: An online retailer with a turnover of £3m and 15 staff had its website defaced, including a link to a competing retailer’s website. Hackers then gained access to personal information about customers and took over their website. £500,000 was paid for loss of income and other related costs. PCI fines and penalties Covers the insured company for Payment Card Industry (PCI) fines or penalties arising from a network or privacy breach due to the insured’s non-compliance with Payment Card Industry Data Security Standards. Note: Since 2005 more than 80% of credit card breaches have occurred at small businesses. Failure to comply with Payment Card Industry Data Security Standards (PCI DSS) could result in fines of up to £50,000 per infringement.