Business Continuity Planning: where insurance plays a key role

Insurance has long been used by businesses as part of their risk management and disaster recovery plans and there are plenty of statistics that demonstrate that inadequately insured businesses are unlikely to survive major incidents. Until recently most businesses have insured only computers and mobile devices against physical risks such as damage, theft or loss, with electronic equipment being insured on the same basis as their furniture and with no cover for lost, stolen or disrupted data. Some organisations may have wider policies that also include cover for equipment breakdown and limited expenses for reinstatement of data … but most cyber risks are excluded. Insurers and businesses have recognised that traditional insurance is inadequate and there is a need for cyber liability insurance to cover events such as lost data, viruses, hacking and data protection breaches.

The rise in Cyber incidents in SME’s is staggering with a reported 200% increase in 2018 alone. As a result, it has become increasingly important that Credit Unions understand their cyber risks, become aware of the types of losses that can occur and have a suitable cyber incident response plan that kicks in should an event occur.

Some trends are emerging in the types of claims that cyber insurance is seeing.

- Strict liability for data breaches.

In a recent case, a company was held vicariously liable for a data breach caused by a rogue employees malicious act of releasing 100,000 personal employee records. Whilst the company had reasonable controls and responses to the incident, they were found liable for damages to employees that had their data released. This shows a trend toward strict liability for data breaches.

- Litigation funding and claims farming.

Data breaches are considered lucrative opportunities for litigation funders and claims management companies. These companies are bringing together groups of individuals following data breaches for the purposes of group litigation. No-win no fee claimant lawyers are beginning to see data breaches as attractive income generators, and litigation funders are targeting data breaches. Both of these will see an increase in third-party privacy claims in the future.

- Strategic response plans and the risks for Directors and Officers.

It’s important for Credit Unions to have a strategic response plan for a variety of cyber incidents, such as;

- Ransomware

- Disgruntled employees

- Unauthorised access (phishing etc)

- Loss of physical data

- Employee error

This might include a policy which provides cover for the losses and expenses often incurred from such events. The plan should include how to access post-event response services. It’s also worth noting that insurers have seen a rise in claims lodged against Director and Officers for a failure to protect their businesses against a cyber-incident. Directors should consider demonstrating risk transfer of the cost of a cyber-incident and protect themselves against claims of negligence or wrongdoing.

For more information about CMutual’s Directors & Officers Insurance, or Cyber Risk Programme, please contact us on 01 55 33 500, or email

218 views0 comments