Who gets insurance with Cyber Essentials?
Organisations that get certified to Cyber Essentials will automatically be entitled to cyber insurance if they certify their entire organisation, are domiciled in the UK or Crown Dependencies, and their annual turnover is under £20m.
How to obtain the insurance?
As part of the certification process, the applicant is asked if they would like insurance. They must fulfil the criteria (see above), and confirm that all the statements within the Cyber Essentials application are true. The insurance documents will then be sent to the applicant alongside their Cyber Essentials certificate.
What is covered by the insurance?
The policy provides a £25,000 limit of indemnity and is designed to protect an organisation in the event of an accidental or deliberate breach; this could be a virus, denial of service or even a laptop left on the bus. If the organisation suspects they have experienced a cyber incident or data breach, they should immediately contact the AIG 24-hour helpline on 01273 730992.
The organisation and their IT team will be provided with the appropriate technical, legal and crisis management support to help them with:
- Identifying the problem
- Restoring systems and data
- Providing legal advice and litigation defence
- Notifying data subjects
- Giving public relations support
- Handling ransoms, fines and penalties
- Payment of lost profits
In more specific terms, the policy provides the following cover:
Liability: claims made against you arising out of Digital Media Activities and Security and Privacy Liability.
Event Management: The reasonable and necessary fees, costs and expenses Notification Expenses; Credit Monitoring and ID Monitoring Expenses; and First Response Expenses.
Extortion Threat
Regulatory Investigation: (defence costs) and Data Protection Fines: (where insurable at law).
Network Interruption: The reasonable and necessary costs and expenses that a Company incurs to minimise the Network Loss or reduce the impact of a Material Interruption; provided however, that the amount of Network Loss prevented or reduced would be greater than the costs and expenses incurred.
What is not covered?
There is a £1,000 excess and a six-hour Business Interruption excess. The policy does not cover money stolen via electronic means or cyber fraud.
Who is the insurer?
The insurance is provided by AIG.
How long does the policy last?
The policy covers the same period as the certification.
How does the business make a claim?
At first suspicion of an incident, the client should immediately contact the AIG 24-hour helpline on 01273 730992. AIG will assist the client and their IT team in responding to and recovering from the incident.
What security must the business have?
To obtain cover, the client must meet the Cyber Essentials standard. They are also required to maintain automatically provided updates from their software provider for critical business software. This should be in place as part of certification, but it is important that the client maintains this for the insurance to remain in force.
What limit of cover is provided?
The insurance provided with certification gives a £25,000 limit of indemnity. This might be sufficient for a small incident but will be inadequate for a more serious problem or multiple incidents. For a higher limit, the client can contact Sutcliffe & Co at cyberessentials@sutcliffeinsurance.co.uk or call 01905 21681.
Are there any restrictions on who can get the increased level of insurance?
As long as the client certifies their entire organisation, are domiciled in the UK or Crown Dependencies, and their annual turnover is under £20m, they are eligible for the insurance and can increase cover to £250,000 for a fee. There are no restrictions on their type of business, their geographic activities or previous claims.
What if the business turnover is more than £20m?
Organisations with a turnover above £20m are not eligible for the automatic insurance.
How does the client renew their insurance policy?
The policy is connected to certification and cannot be renewed on its own. To maintain cover, they will need to renew certification or take a separate stand-alone cyber insurance policy.
What if they don’t want insurance?
When they complete the Cyber Essentials assessment, there is an option to opt out of the insurance. This does not change the cost of certification.
What if the business already has cyber insurance?
Clients cannot claim on 2 polices so we recommend declining the free insurance. There is no refund or discount.
/-3.5042587517567103,%2054.70635734010168,15.5/300X450@2X?access_token=pk.eyJ1Ijoid29tYmF0Y2hyaXMiLCJhIjoiY2pqaGEyd2lzMDQ3ZDN2bWQ4OTBsa2pmayJ9.ksVq6arM13qYhr76pco33w)