Cyber Insurance Questions & Answers

30 January 2019


JLT Specialty’s Cyber team help deliver bespoke cyber risk management and cyber liability insurance solutions to meet the needs of their clients.

The team answer a series of frequently asked questions. Contact us if you would like to discuss any of these questions and answers in more detail.


When you find out that you have been hacked, immediately call the 24/7 crisis number displayed in your policy. The crisis manager will reach out to you to discuss the appropriate forensic and legal measures that should be taken. The costs of resolving the issue are covered in your insurance.

Yes, cyber insurance does not differentiate between digital and hard copy data. The main issue is that potentially sensitive data has been misplaced, and could be in the wrong hands. Occurring costs to cover in these type of incidents would be notification costs, PR advice, legal advice, and liability.

This kind of scam is known as fake president fraud. This happens frequently, and since it is a cyber enabled crime (including social engineering), many people think it is covered under a regular cyber policy. It is not since there is no breach into the system of the insured. This should be covered by a crime policy. Therefore, it is always good to ascertain with your advisor which risk you have, what the impact of an event would be, and to do an insurance gap analysis.

This would be covered under the section media liability. In this case, given the potential impact on your reputation, it will be vital to let the crisis manager and PR adviser get in touch with your client and act swiftly and precisely to mitigate the incident.

This kind of event, business interruption, is covered under cyber insurance. Since the rise of Internet of Things (IoT) based products and services, DDoS attacks will also rise, using the vulnerabilities in these devices. It would benefit every company to have a thorough look at which providers and services they are highly dependent on, and see if they can mitigate the risk involved.

If you are unable to access your systems due to a third party suffering a cyber attack, then a cyber policy can cover this. A cyber policy would cover both loss of revenue sustained by you due to the attack, as well as any extra expenses that are over and above normal business operations following the attack. Some insurers will extend this coverage to pick up the errors and omissions of the third party that lead to your outage, so your cover goes beyond cyber.

There is no obligation to pay a ransom during an extortion event, and insurers will provide access to experts who can guide you through this decision. In the event that you choose not to pay a ransom and were to lose data as a result of this, a cyber-policy would cover the data restoration costs.

If a rogue employee, acting without the knowledge of senior management, was to steal or intentionally leak data, then a cyber-policy would cover this. The policy could cover the costs to respond to the data theft by utilising incident response vendors, as well as any third party liability arising from this incident. The policy would not cover criminal defence for the rogue employee him/herself.

If a third party made a claim against you accusing you of posting defamatory content, a cyber-policy could cover this under media liability. As well as covering defamation, this part of a cyber-policy would also cover any infringement of intellectual property, such as copyright or trademark infringement, aside from patent infringement.

Yes, cyber policies cover a wide range of financial impact to a company arising from non-compliance with GDPR and data breach notification obligations under GDPR. Covered costs include; defence of regulatory actions and investigations, costs to investigate the breach quickly to understand what happened, notification to affected individuals, communication with regulatory authorities through legal counsel, and defence of lawsuits brought by individuals under GDPR.

The GDPR allows regulators to issue fines up to €20,000,000 or 4% of the company’s global turnover (whichever is greater), and a cyber-policy would also cover these fines, but only where insurable by law. The question of insurability under various laws is a developing legal issue. GDPR cover does vary, so companies should check that they understand exactly what is covered under their particular policy.