Cyber Insurance & Cyber Risk Management

The last decade has seen a number of highly publicised and costly cyber incidents which have impacted organisations across the globe and more importantly, across a range of industry sectors.

Cyber risk is now widely accepted as being one of the top emerging risks. As the pace of technological change continues unabated, organisations’ reliance on computer networks and the information they hold has become critical to their ability to offer products and services, interact with customers and employees, as well as ultimately generate revenue.

This shift in emphasis from tangible to intangible assets brings with it a need to address the threats to an organisation’s critical network infrastructure, in what is a continually changing risk environment.

We can provide bespoke cyber risk management solutions and cyber liability insurance across a variety of industries. Our team of experts will work with you to find the right multi-dimensional cyber risk solution to cover your business against data breach and cyber-attacks.



‘Cyber’ can seem daunting and a complicated concept, but it doesn’t need to be. We’re here to help you understand the specific risks your company faces and find you the insurance solution that caters to your individual needs.

We can clarify any misinformation you have received and demystify the boundaries of cyber risk, helping you to decide which cyber loss scenarios are most relevant to your company and what your risk profile looks like.

We can highlight exactly what is covered under a cyber insurance policy to ensure that you feel confident when choosing the right policy for you.

Our team can also help to improve your company’s cyber security awareness, so that your employees and C-suite remain vigilant against any potential threats.

Our team features a diverse group of talented and experienced specialists with a shared interest in delivering successful results and tangible value for our clients. Our standalone cyber products and bespoke cyber extensions can give you peace of mind in the midst of the headlines.

Every company has some form of cyber exposure, over the years we’ve delivered a tailored service to clients across a range of sectors.


The name, cyber risk emanates from both online and offline sources. It exists in modern reliance on electronic communication and connected technology driven processes, but the data privacy elements of the risk are just as prevalent off the internet. Consider a lost mobile device containing confidential information, a hacker gaining physical access to upload malware on to an online ticketing system, or a stolen lever arch file.

Cyber incidents can be created by numerous actors with a variety of motivations. Generally speaking these can fit into four categories.

1. The most prevalent and feared is the malicious external actor, who could be a criminal with a profit motive based on the value of confidential information, a politically motivated group of hacktivists seeking to cause disruption, or terrorists seeking to use technology to create physical consequences.

2. Malicious actors also exist inside companies and may either be disenchanted individuals with highly technical knowledge or access, or simply call center or clerical employees approached by a criminal with an inducement to steal data, introduce malicious code, or just provide physical access.

3. Employees also create cyber scenarios through human error via clicking on the link in a phishing email, leaving a laptop in the airport, connecting to unsecure Wi-Fi networks or failing to check the security credentials of an unfamiliar individual on a work site.

4. External accidents happen as well, via the vast web of vendors and outsourcers that modern companies rely upon. Many companies enforce strict security and data privacy regulations on perceived high risk vendors such as data processors, but fail to consider that even the low-tech vendors pose cyber risk.

Cyber liability insurance is designed to mitigate both the first and third party costs that may be incurred from a cyber attack. First party costs your business may incur directly as a result of an incident:

Crisis management costs
Practical support in the event of a data breach (electronic or otherwise) including forensic investigations, legal advice, notifying customers or regulators, and offering support such as credit monitoring to affected customers.

Cyber extortion
A policy will protect you if a hacker tries to hold your business to ransom by covering the ransom you have paid, as well as the services of a consultancy firm to help manage the situation.

Cyber business interruption
Compensation for loss of income, including where caused by damage to your reputation, if a hacker targets your systems and prevents your business from earning revenue.

Data restoration
Reimbursement of the costs of repair, restoration or replacement if a hacker causes damage to your websites, programs or electronic data.

Third party costs you may be liable to pay to others:

Security and privacy liability
Coverage for defence costs and damages for third party claims arising out of a failure or violation of the security of a computer system or network that results in unauthorised access, unauthorised used, denial of service attack or receipt or transmission of a malicious code.

Coverage for claims alleging a failure to protect confidential information or failure to disclose any security or privacy event, any unintentional failure to comply with a company’s privacy policy, or any violation of a federal, state, foreign or local privacy statute are all included under these coverage grants.

Can include coverage for payment card industry data security standard fines, penalties and / or assessments as well.

Multimedia liability
Protection if you mistakenly infringe someone’s copyright, for example by using a picture online without permission, or inadvertently libel a third-party in an email or other electronic communication.

Regulatory liability and fines
Cover for costs to respond to governmental investigation arising out of a privacy event. Coverage for fines and penalties to the extent allowed by law.

Most industries have become inextricably reliant on technology and the use of data. On the one hand, this represents an opportunity to improve efficiency and profitability while on the other it brings with it a host of emerging risks. Cyber related exposures are real and ever-increasing in this complex area of risk: global in nature, acting without regard to geography, sector, or business size.

Cyber incidents can affect any company in a variety of ways. Data is often the target of a cyber-attack, whether it’s personally identifiable information of employees or customers, confidential information of other businesses shared under a confidentiality agreement, or the company’s own confidential data such as trade secrets, business protocols, or customer lists. Media content published in cyberspace also falls in scope, and can result in allegations of defamation or intellectual property infringement. Social media use by companies and their employees expands the risk picture to include reputation and security issues. Finally, technology is inextricable from the daily operations of most modern companies; both information technology and operational technology. Technology can fail or fall victim to a cyber attack, causing business interruption or liability consequences.

Despite increased awareness about cyber risk, relatively few organisations have actually identified their cyber exposures, and even fewer have attempted to quantify them.

For most clients exploring cyber insurance for the first time, the exposure analysis and underwriting information gathering process for a dynamic risk like cyber can be daunting, and often the insured isn’t left with any clearer understanding of how their exposure has changed from year to year or in comparison to their peers.

Our Data Organiser tool efficiently facilitates cyber risk information gathering, illustrates your organization’s comparative cyber risk exposure, and benchmarks you against peers with respect to exposure and maturity. Insureds can then evaluate changes in exposure and maturity from year to year, which can be used both to form the basis for an underwriting submission and to provide insights for information security and other risk mitigation investments.

The sharp rise in cyber-crime has caused big business to look seriously at how the insurance industry can help mitigate business risks associated with a data breach. But lack of actuarial data, and the inability to put a price on a risk with so many moving parts leads many to ask, is cyber insurance worth it?

With insurers paying millions of dollars annually for claims on cyber policies, cyber insurance has demonstrated its worth to companies with data privacy and network security risks. As with every line of coverage, however, there are potential pitfalls that insureds might face, but can avoid.

For instance in 2017 a federal court found that a US restaurant chain could not recover payment card industry (PCI) fines, penalties, and assessments incurred under a master service agreement with its credit card processor. Specifically, the court ruled that an exclusion for contractual damages barred recovery. However, the restaurant’s insurer paid USD 1.7 million in other costs that resulted from the data breach, which affected 60,000 customers. Moreover, insureds should be aware that many carriers currently provide terms that expressly cover PCI fines and penalties, and will carve back the contractual exclusion to avoid any conflict. So the total loss quantum would have been recoverable if the insured had a well drafted policy.

Cyber insurance is a rapidly changing market. Insureds should work with their brokers to ensure that policy terms follow recent challenges to and developments in coverage. Fundamentally, however, it remains a buyer’s market and companies should be confident that cyber policies deliver real risk transfer and value.

As the threat of hacking and cyber attacks on the databases of all organizations grows, so has the uptake of cyber insurance policies. But when buying a policy and anticipating a claim, it’s important to know exactly what’s covered.

War, invasion and insurrection
Most commercial property and liability policies exclude damage resulting from these events, as well as terrorism.

Patent, software and copyright infringement
This is typically covered by intellectual property insurance forms, and not by a cyber policy. However, some broadly written cyber policies will cover defence costs associated with copyright infringement claims if they are the result of actions by a non-management employee or an outside third party.

Bodily injury and property damage
This coverage, standard under a commercial general liability policy, is typically excluded in cyber insurance as a person cannot be physically injured by having their data exposed when your business’s database is infiltrated.

Failure to take required security measures
When applying for a cyber policy, the application will include a number of questions regarding the steps you’ve taken to safeguard your data. If it is later discovered that you have failed to implement these security measures an insurer might deny the claim.

Employment-related claims
These are mostly covered by an employment practices liability insurance policy, and are thus excluded from a cyber-liability policy. However, if your employees’ personal information was compromised, your policy would likely cover employment-related privacy violations.

Many professional indemnity policies will provide some insurance cover in the event of a cyber-breach, but there may be significant gaps, including:

  • Cover for loss of employee and partner information;
  • Breach investigation expenses, including specialist independent legal advice, forensics and IT security expertise;
  • Costs incurred by the firm to notify affected individuals, to offer appropriate credit and ID monitoring services and to hire appropriate public relations expertise;
  • Cyber extortion expenses incurred to end a credible extortion threat;
  • Reimbursement of data and computer programme restoration expenses; consequential loss of revenue resulting from a network interruption.



We are aware that you have a choice of who represents you, so why choose JLT?

  • We stay close to the pulse of the vibrant London insurance market and leverage our relationships and knowledge
  • Our deep technical knowledge means that we do not accept any insurer's standard policy form and will work tirelessly to ensure you receive a differentiated result
  • Claims advocacy is a vital part of our offering to clients. We link it to placing and wording to ensure that clients receive a full circle and joined up approach. Our claims advocates will provide you with tailored policy wordings, advising you about notification and coverage, and work with you and your insurers to achieve successful resolution of all claim-related matters
  • We host training workshops and establish regular meetings with clients 
  • We create content that highlights the latest risk trends and aims to simplify concepts that may seem confusing to individuals with limited experience in technology. This includes our monthly newsletter, Cyber Decoder, in- depth whitepapers as well as a wide range of educational videos and materials
  • We know can’t do it all (penetration testing, incident response drilling, technical security advice) and so we seek unique partnerships, to bring you cutting edge solutions.

JLT’S cyber risk consortium

Cyber risk is a rapidly evolving area that impacts business operations across industries and within organisations. JLT’s cyber risk consortium is a unique collaboration of leading companies across the software, hardware, advisory, consulting, and legal industries that effectively support clients around their strategic, operational, financial, and people issues impacted by cyber risk. The consortium brings together content, best practices, and subject matter experts to collaborate and solve cyber risk. Read more

Read our latest insights