Data Breach Indemnity Insurance consists of a package of covers that protect a business against the costs that follow from a data breach.
There are three major forms of data breach:
The losses are also numerous and include:
Data breach insurance as a product has a number of components to its cover designed to address specific risks identified above. A comprehensive list of these covers is given below.
A Data Breach Indemnity Insurance is a collection of the covers below chosen to suit the circumstances of a particular business with limits of indemnity set from a scenario analysis of the potential scale of losses for that business.
Covers ransom or extortion costs arising from either ransomware blocking a user accessing a computer or from demands made to recover data on the computer systems of the business that were obtained through unauthorised access.
Covers losses that arise from request flooding type of attacks that swamp websites and systems rendering them unavailable and often causing them to crash. Businesses that rely on a web portal or online sales are particularly vulnerable to this type of attack. Classic attacks styles are Distributed Denial of Service (DDoS) and Network Data Flooding.
Failure of a component of the company’s computer or network system. This is not a data breach cover, but an important component of any broad insurance package.
Public Relations, response consultants and press management services following a significant data breach or systems failure issue. Management of the public response to an issue like the Talk Talk data breach or the RBS system failure that impacted access to bank accounts.
Covers and fines or penalties such as a fine by the Information Commissioner’s Office (ICO) following a breach of General Data Protection Rules (GDPR) or a breach related to card transaction regulations.
Covers the cost of legal support through an investigation by a regulator or the legal costs of defending a third party claim relating to a data breach.
Covers the costs of technical specialists to investigate and remedy a systems breach that leads to data loss and identify the data impacted. Most good insurers provide not only the financial cover, but arrange for their own retained experts to undertake this work. Access to the appropriate skills is a significant issue for smaller businesses.
The costs of notifying the individuals whose data has been affected following a data breach. Most data regulators, including the ICO, have notification standards. The cost of notifying a large number of people and advising them how to protect themselves following a data breach can be very large.
Covers the costs of claims arising from the company’s own Social Media postings. Claims can arise from liable, infringement of intellectual property, breach of confidentiality or right to privacy, and breach of comparative advertising regulations.
Covers the cost of reinstating a payment service if it is withdrawn, including the cost of any additional security required.
Covers the costs to recover or reinstate data that has been lost damaged or corrupted.
Covers the cost of recovering computers from a malware or virus attack as well as the cost of claims from parties that claim that their systems were infected by malware and viruses originating in the company.
Some enhanced cyber cover can be added to Professional Indemnity insurances for aorund £100. These, however are not true data breach and cyber covers.
The minimum cost of a true data breach and cyber cover at a minimum is £900. The type of package the MRSL Enterprise would recommend for a private medical business is around £5,000.
Cost aside the most significan issue that small business wil lface is getting insurance at all. Insurers will require current computer security good practices in place. The National Cyber Security Centre's Cyber Essentials certificate is a great place to start.
MRSL Enterprise is providing a package of training and insurance to help small businesses understand, mitigate and insure their data breach and cyber risk. This is described on our Services page.