Silent insurance change could leave business out-of-pocket for cyber loss

Thanks to a quiet change, it's very possible that the insurance cover relied on by Lancashire's 52,000 businesses now specifically excludes cover for cyber risks, leaving them under-insured and exposed to potentially significant losses.

It stems from the insurance industry's efforts to remove somthing known as 'silent cyber' or 'non-affirmative' cyber cover from policy wordings.

Whatever your office policy, general property, liability, or professional indemnity policy may have said previously, it wouldn't usually have included specific mention of cyber-attacks in the warning, either to include or exclude them from cover.

It's almost certain that these policies will now specify if cover is provided for losses caused by cyber tisk in two categories: malicious acts (cyber-attacks) and non-malicous acts including accidental acts or errors, with many choosing to exclude cover for one or both.

Concerns about silent cyber were first raised by the Prudential Regulation Authority in 2016, which is what sparked the industry to make changes.

And the picture is worsening, with insurance giant Lloyds of London now saying it will no longer provide cover for state-sponsored ransomware attacks from 2023 onwards.

Rob Stanway, operations director at Chamber members Abbey ICT, said it's important businesses do three things to reduce their exposure to cyber-related losses: "Firstly, it's vital that businesses check the wording of their current policies to see if there's now a specific exclusion.
"Secondly, if their general policies are found to exclude cyber risks, it's important to get separate cover. Worryingly, we've seen it reported that only around 5% of businesses have this in place right now. But take proper advice from a broker that knows what they're doing, like Chamber Patrons PIB insurance.

"And thirdly, don't just rely on insurance to mitigate your losses after-the-fact, take proactive steps to make your business more resilient to malicious and non-malicious acts in the first place."

Abbey ICT has previously produced simplified cyber security guidance for smaller businesses on how to improve their defences. Rob said it was intended to provide business owners and managers with simple, concise and easy to digest advice on practical steps thaey can take to strengthen their cyber resilience, like changing passwords, installing and keeping anti-virus software up to date, and educating staff on what to look out for.

"All businesses store and use sensitive data these days, whether in on-premises servers on in the cloud. These systems are all venerable to external 'brute force' attacks, but it's also possible for staff to make mistakes that cause the loss of data - whether that's by inadvertent deletion and corruption, or by being tricked into giving fraudsters and hackers access to networks.

"As well as implementing the Abbey ICT cyber security guidance, we recommended businesses explore gaining Cyber Essentials Certification too."
Posted in Press releases on