Cyber Insurance

What you need to know about Cyber Liability and your business.

What you need to know about cyber liability

It isn't just big businesses that need protection from cyber criminals. In fact, smaller businesses may be seen as an easier target. According to government figures, 39% of businesses identified a cyber attack in 2021-22.*

Of the 39% of UK businesses that identified breaches or attacks, the most common threat vector was phishing attempts (83%) and around one in five identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack. One in five businesses say they experienced a negative outcome as a direct consequence of a cyber attack, while one third of businesses experienced at least one negative impact., for example requiring new measures, having staff time diverted or causing wider business disruption.

Bear in mind this data only includes those businesses that have actually identified a breach. It is possible that breaches may go unnoticed or unreported internally.

Despite this, only 43% of businesses report being insured against cyber risks.

There are numerous ways that cyber criminals might attack your business: Phishing, Denial of service, Man-in-the-middle, Malware, Ransomware and Direct Hacking attacks are all common occurrences and are certainly not restricted to large businesses. Indeed, smaller business may be seen as the easier target due to a perception that smaller businesses may not have the most sophisticated protections.

These attacks are usually after sensitive data that you hold in your systems, as this data can be used in a multitude of ways that could severely impact your business; some examples of which may be:

  • yours or your clients' data being sold on the Dark Web
  • to extort money from you in the form of ransoms
  • to gain access to yours or your client's bank accounts etc.
  • to wreak reputational damage on your online social media or website
  • email addresses being used to elicit personal data from third parties or onward propagation of viruses and malware etc.

In addition, these attacks may also cause physical damage to hardware, divert a substantial amount of staff time into dealing with the repercussions and potentially cause loss of revenue to your business. This is all in addition to the likely punitive measures incurred as a breach of GDPR.

Cyber Risks are not easy to manage especially when considering the average percentage of staff employed within small firms that use personally-owned devices to carry out regular work-related activities is approximately 50%.* This coupled with the increased usage of IT equipment at home, following recent events, may pose additional risk management challenges

Cyber liability policies can help to protect your business from claims and expenses resulting from a data breach relating to your IT systems and networks.

These losses take the form of either 'First Party losses' – your own business assets – or 'Third Party Losses' – assets of others, typically your customers.

Examples of first-party losses that can be insured include:

  • Loss or damage to data
  • Loss of income and additional expenditure
  • Cyber extortion
  • Customer notification expenses
  • Theft of money or digital assets
  • Public relations and crisis management expenses
  • Forensic experts to investigate and advise
  • Loss prevention measures
  • Fines and penalties (except those that cannot be insured against by law)

Examples of third-party losses that can be insured include:

  • Fines and defence costs arising in respect of security and privacy breaches except fines that you cannot insure against by law.
  • Damages and defence costs that result from unintentionally transmitting, or failing to prevent or restrict the transmission of, a computer virus, hacking attack or denial of service attack from your computer system to a third-party.
  • Loss of third-party data, including payment of compensation to customers for denial of access, and failure of software or systems.

Examples of exclusions or policy conditions may include:

  • Punitive fines and penalties are excluded.
  • Excess for loss of revenue claims under Cyber policies are typically time based e.g. you must have been affected for more than 12 or 24 hours.
  • The cost of correcting any failings in procedures, systems or security are generally excluded.
  • Product liability or professional indemnity is excluded as this can be covered under more specific policies.
  • The cost of normal computer system maintenance is excluded.
  • Losses arising from external network failure are generally excluded.
  • There are requirements for policyholders to back-up data – normally at least every 7 days – and that data is stored safely.
  • There will also be a requirement that, where available, computer systems must be protected by a virus-protection software package which is paid for and up to date.

In summary:

One of the primary benefits of Cyber Insurance is to be able to access legal support and expert guidance and assistance from cyber specialists if your business falls victim to a cyber-attack. The extent of cover afforded is broad, it can be adjusted to your requirements and, in most instances, is available as an additional section of cover.

Cyber insurance is available from Morton Michel to help protect your business from calims and expenses resulting from a data breach relating to your IT systems and networks.**

If you have any questions then please contact the Morton Michel team on 0330 058 9861 or email us at

*Cyber Security Breaches Survey 2022. Read the full survey here

**Exceptions and exclusions apply. Punitive fines and penalties are excluded, as is external network failure and the cost of correcting failing in procedures, systems or security, along with normal IT maintenance. You are required to back up your data and where available must use up to date virus protection software. Full details are available in our policy wording.