But take-up of cyber insurance is still relatively low, and the question is why. The 2023 edition of our C-suite barometer found that two-thirds of executives (66%) felt confident their company data was completely protected, while 65% believed a significant data breach would not happen in their business in the next 12 months. In addition, this year’s Cyber Security Breaches Survey conducted by the UK authorities has shown that only 37% of UK firms were insured against cyber security risks, and 20% of respondents were unclear if they had any form of cyber insurance at all.
Clearly a false sense of security could be at play when it comes to assessing the need for cyber insurance, but it’s something that could provide critical protection in the event of a cyber attack or data breach.
What cyber insurance is available?
Cyber insurance cover can encompass both the financial loss that a business suffers as a result of a cyber attack, as well as professional support to help an affected business react and recover.
Cover is often broken down into a number of categories:
- Business interruption: If an IT failure or cyber attack interrupts business operations, insurers cover the loss of income during the period of interruption.
- Potential claims of damages: Cyber insurance can provide cover for a business in the event that someone brings a claim against it for infringement of data protection or privacy rights.
- Data: This protects a business from damage to its digital assets, such as data. It covers costs of recovering and restoring data.
- Cyber extortion: This protects a business in the event of ransomware or other malicious attacks. These types of attacks attempt to seize control of, and withhold access to, an organisation’s operational or personal data until a fee is paid.
- Reputational damage: An insurer can help with strategic reputation and crisis management when a business suffers a cyber attack.
Calculating cyber insurance coverage
When it comes to calculating cyber insurance coverage, the industry a business operates within and its current IT setup is key. What are the current IT security measures the company has? Are they well developed? Are they prepared for a data breach or cyber attack? Although it's difficult to have cast-iron rules for calculating this complex risk, the level of preparedness is the most important consideration for an insurance company when offering cyber insurance cover.
That’s because large international insurers will only cover the risk if a business has a process in place to identify an attack at an early stage. If a business has implemented a certain level of risk management to identify an attack, the insurer will offer a package based on the five categories listed above. If a business is unable to satisfy this condition, it will likely be offered reduced cover.
Why UK businesses should have cyber insurance
Despite the proliferation of cover available to UK firms, take-up is low. Larger businesses are more likely to have cyber insurance already in place, but medium or smaller companies often don't have it all. That’s an issue from both business protection and compliance perspectives.
Statistics for Small and Medium Enterprises (SMEs) in the UK show that only 14% of businesses are aware of the Cyber Essentials scheme. Cyber Insurance under Cyber Essentials (should organisations be eligible and opt-in) would allow them £25,000 of cover, should their annual turnover be less than £20m. However, some argue the damages covered under the scheme would only apply for small-scale incidents and notably, money stolen through electronic means (such as invoice fraud) would not be covered. As a result, it is no surprise that less than 1% of UK businesses have made an insurance claim in 2022.
Businesses need to understand the measures they should implement in order to reach a minimum standard of preparedness, so they can identify or avoid attacks before they happen. As part of that process, businesses should speak to insurance companies about the cover available to them. This will involve answering general questions about the business, turnover, customers and claims history; and specific questions on their cyber resilience and set-up, such as the type of data storage and security the company has in place. Going through that process will enable businesses to receive guidance on any measures they need to implement to be able to secure the cover they need.
Once cover is in place, it must be kept up to date with changes in risk. Businesses should be continuously reviewing their risk management profile when it comes to cyber and, as a result, the amount of cover they either need or are able to get, particularly during their annual renewal process.
With the risk of a cyber attack increasing, businesses need to ensure they have the protection of insurance. Cyber insurance is becoming an essential tool, rather than just a nice-to-have.
Read Mazars’ latest report, Future-proofing cyber security in an increasingly digital world, for an in-depth guide on how to understand and mitigate cyber risks.