In ten years time, cyber insurance will be as common to small business owners as any other insurance policy, writes founder and chairman at IT infrastructure consultancy BroadGroup, Philip Low.
A recent government survey estimated that the average cost of cyber attacks is between £65,000 and £115,000 for small businesses and between £600,000 and £1.15m for larger organisations.
Cyber attacks against all business are increasing, and small companies are just as much a target as corporates, particularly in the areas of ransomware and email fraud.
With businesses increasingly dependent on IT and electronic data for their everyday activities, cyber attacks and failures can result in the complete failure of businesses or at the very least, force some to change their day-to-day activities.
According to government statistics, 10 per cent of organisations affected by cyber attacks were forced into changing how their businesses operated.
Data centres are integral parts of business operations and mitigating the risk of a data centre loss is critical.
While data centres offer stringent physical security measures industry watchers have previously aired concerns about whether cyber security is subject to the same level of due care and attention.
Cyber insurance is an option and an increasingly important way for businesses of all sizes to manage the threat of cyber crime however, less than 10 per cent of UK companies actually take out specific protection.
One might wonder why take up is so low. Incredibly, cyber insurance cover has been around for ten years but, it seems, many of us don’t have confidence in the types of products or services currently being offered.
In the US, mandatory notification laws for data breaches have encouraged businesses to take out insurance, and the UK is likely to follow when new EU data regulations come into force in 2018. These regulations outline how companies should react when they experience a data breach and threaten possible fines of up to €20m, or 4 per cent of the company’s annual worldwide turnover.
Cybersecurity insurance — sometimes referred to as cyber liability or data-breach liability insurance — is a type of standalone coverage. It helps companies recover from data loss owing to a security breach or other cyber event, such as a network outage or service interruption.
In general, cover against cyber theft or attack is roughly three times more expensive than general liability and six times more than property insurances. Insurers tend to offer a pricing structure that charges companies similar rates regardless of the underlying risk – a factor that has discouraged take-up.
For many insurers and brokers, the technicalities of information security and the details of how to deal with a data breach remain a mystery. A good starting point is to determine the costs or expenses you think need covering and the types of incidents you want cover for.
Businesses should work with a cybersecurity-insurance broker who has proven experience and expertise in selecting a cyber policy. A specialist broker will save you time and help you find out what is right for your business.
This person may not necessarily be the same as one that provides your usual insurance. It is always advisable to provide a list of estimated expenses and costs that you might incur in the event of a data breach to them and discuss any exclusions that might be imposed that might prevent you from making a claim.
A policy for you
The right policy for your business, business model, industry, size and exposure is a complex exercise. It is important to understand the kind of support being provided as part of the cover.
Some policies provide a point of contact who will handle everything from the moment the insurer has agreed the claim, whereas others will let you manage the incident and decide which services you want to use from a list of suppliers.
First-party insurance covers your business’s own assets. Third-party covers the assets of others, typically your customers. In some organisations that don’t have the people or experience to manage a data breach incident, a third-party supplier is usually a better option.
All policies have a set of exclusions, terms and definitions, but there are many other issues you should consider when managing your own cyber risks as a business. These include evaluating first and third party risks associated with the IT systems and networks in your business, assessing the potential events that could cause first or third party risks to materialise, and analysing the controls that are currently in place and whether they need further improvement.
For small enterprises there are some simple policies available, but sometimes these raise more questions than they answer, as they do not always provide a long list of exclusions or terms and definitions.
With detailed polices you should know better where you stand. Unfortunately, no two businesses are the same when it comes to cyber risks, therefore it is key to understand the cyber risks your business faces and to ensure your cyber policy is tailored to mirror those risks.
Cyber insurance alone does not replace the need for good security practice and businesses should aim to be smart with their approach and consider the people, process, technology elements and physical security when it comes to protecting against cyber threats.
Read more about the government’s £1.9bn cyber security defence plan for businesses
Sign up to our newsletter to get the latest from Business Advice.