Law and standards

Cyber insurance

What does cyber insurance cover?

Cyber insurance covers the financial consequences of an attack on a company's IT. A policy usually combines first-party cover, for example business interruption and data restoration, with third-party liability cover for claims brought by others. The precise scope is set out in the policy.

Cyber policies are modular and are assembled to suit the business. First-party cover typically pays for restoring data and systems, loss of income during a business interruption, forensic investigation of the incident, meaning the technical reconstruction of what happened, and crisis communication and advice. Some products also address matters connected with extortion. Third-party liability cover responds to claims brought by others, for instance after customer data has been exposed. The modules that actually apply are set out in the policy schedule.

Before cover is granted, the insurer asks risk questions, for example about backups, patching, anti-virus protection, two-factor authentication and access rights. These questions must be answered truthfully. Contracts also impose obligations that continue throughout the term. A breach of those obligations may allow the insurer to reduce or refuse payment. This part of the wording deserves careful reading.

The benefit of a policy begins once the damage has occurred, as it pays for costs and lost income within the agreed scope. How long the business remains at a standstill depends on its own preparation, namely on whether a tested backup exists and on whether the order for bringing the systems back has been defined.

The sensible first step is therefore to establish the current state of the IT before the proposal form is completed. That means backups following the three-two-one rule, meaning three copies of the data on two types of media with one copy kept off site, together with a documented restore test, two-factor authentication on every externally reachable account, systems kept up to date, and a clear picture of who holds which permissions. The IT-Check covers eight areas and more than 100 checkpoints and records the findings and an action plan in a written report supplied within 14 working days, which allows the risk questions to be answered with evidence and open points to be closed beforehand.

For the incident itself, the insurer's reporting route belongs in the emergency plan, together with the contact details for a claim. Policies sometimes require the insurer to be involved early, in some cases before external specialists are engaged. Notification duties under the GDPR continue to apply in parallel.

All terms in the knowledge base

From the term to practice

Where does your business actually stand?

The IT Check reviews your IT across 8 audit areas with more than 100 individual checks and delivers documented findings with a prioritised action plan. From 1,299 € excl. VAT. The first call takes 20 minutes and carries no charge.

Book a first call