Almost half of UK businesses say they have suffered a data breach in the past 12 months and the average cost to a large enterprise is £20,000
Cyberattacks are becoming more frequent and more costly. If companies want to protect their bottom line and safeguard their operational capabilities, they must meet risks head-on.
The Government’s Cybersecurity Breaches Survey 2017 found that in the previous 12 months 46pc of UK businesses identified at least one cybersecurity breach or attack. The figure for medium-sized businesses (50-249 employees) was 66pc; for large businesses (250 or more employees) it was 68pc.
The average cost to large businesses of a cyberbreach was £20,000, although in some cases the figure ran to millions of pounds.
According to insurance broker Lockton, half of UK companies expect to be back to normal within two days of a large cybersecurity breach. Only 2pc think a breach will affect them for more than 10 days.
But Peter Erceg, senior vice-president of global cyber and technology at Lockton, believes companies are significantly underestimating the impact a breach would have on their business.
He says: “It can take several months, if not years, to become entirely operational again after a large-scale breach – and for some firms, a full recovery may be a bridge too far. UK businesses are currently unprepared for the seismic waves that can decimate an organisation caught unawares.”
For businesses of all sizes the starting point to implementing effective cyberdefences is education. This includes understanding not only the potential operational damage caused by a cyberattack, but also the legal obligations that businesses have to protect customer data.
Understanding the risk
Many companies may still not know that the European Union General Data Protection Regulation (GDPR) comes into force on 25 May. Failure to meet its requirements could result in a fine of €20m or 4pc of the company’s global annual turnover, whichever is the greater.
Many businesses realise they are not IT or data specialists and so rely on third parties. But this does not get them off the hook, as Craig Roberts, spokesperson at JSW Insurance, part of The County Group, notes. He says: “A lot of businesses outsource data management to a contractor or a third-party data storage company. But what they do not realise is that even though they are subcontracting it out they are still deemed to be the data controller – and therefore responsible for the data.”
Information, support and guidance
The good news is that help is at hand. The Government has made a commitment to investing £1.9bn to protect the UK from cyberattacks and make it a safe place to do business online.
As part of this drive, the Government launched the National Cyber Security Centre (NCSC) in October 2016. It was established to protect the country’s critical services from cyberattacks and to manage major incidents. But it is also focused on increasing the availability of advice to individuals and organisations.
One example of how the NCSC is delivering practical support is its Cyber Security: Small Business Guide, which helps companies identify the risks they face and gives tips on how to stay safe (see box).
The Government also backs a certification scheme called Cyber Essentials. The scheme sets out a list of measures that companies can take to improve their digital security. It then offers Cyber Essentials certification and Cyber Essentials Plus certification depending on what measures a company implements.
The Government is offering SMEs grants of up to £5,000 towards the cost of implementing measures that will enable them to meet the Cyber Essentials criteria. Despite this, a lot of businesses still have a long way to go when it comes to enacting robust digital security (see box).
Mona Said, head of propositions at Allianz Insurance UK, says the Cyber Essentials scheme provides positive benefits to companies. She says: “According to the Department for Business, Innovation and Skills, by ensuring network security meets the Cyber Essentials standard, around 80pc of cyberattacks can be prevented.”
The insurer is keen to see companies carry out this sort of preventive activity and has launched the Allianz Cyber Risk Assessment tool to help businesses protect themselves against a potential cyberattack.
Allianz’s commercial policyholders can complete a free online cyber-assessment and they will receive a tailored cybersecurity improvement report.
The wider insurance market is also working hard to improve understanding about cybersecurity and to promote the issue as widely as possible.
The British Insurance Brokers’ Association recently set up a Cyber Focus Group to educate brokers on the nature and scale of threats, to promote good practice in cybersecurity and to publicise the insurance products available.
Although cyber-insurance products have been around for about 15 years, they have evolved significantly and many brokers are building their business in this niche market. One such company is Elmore Insurance Brokers.
Simon Gilbert, its managing director, says: “We established Elmore in 2015 on the principle that cyber-insurance would be ubiquitous by 2025.”
Looking at how quickly the cybermarket is developing, he adds: “Almost every insurer and broker is continuously developing products.”
Mr Roberts agrees that the market has moved on significantly. He says: “Some form of cybercover has been available for about 15 years. The first-generation covers were all around protection for businesses from third-party claims. They did not include cover for getting rid of the problem, or any business interruption cover.”
He adds: “A cyberpolicy enables you to include cover for fines and penalties. It is very rare for fines and penalties to be covered under an insurance policy.”
In addition to the scope of cover provided by a cyber-insurance policy, Mr Roberts also says insurers offer access to professionals that can significantly reduce the overall size and impact of an attack.
They provide access to experts including forensic data scientists to investigate and eradicate the cause, and specialist digital legal advisers who will liaise with the Information Commissioner’s Office (ICO) and ensure a company fulfils its mandatory duties.
This is particularly important as the largest fines generally fall on those who fail to notify the IOC as required.
Taking it personally
In the same way that companies are waking up to their digital exposures, individuals are also beginning to question how safe their data is and what might happen if it were compromised.
How far this develops regarding personal lines insurance policies remains to be seen, but it is under discussion.
Mr Gilbert says: “It is definitely a growing area of interest for the industry. People are split in their thinking. One side believes new regulation around data protection will mean individuals’ rights are protected and therefore they will not need such protection.
“However, the other side feels that with the new Open Banking regulations and the data sharing economy, traceability of source data and resulting liability will be ever more difficult to determine.
“Therefore, consumers could be left in a complex maze of understanding where liability rests when their data may have been used without their consent. In this scenario, cyber-insurance for individuals will be an important protection.”
The jury might be out for the personal lines market, but the time has long since passed for companies of all sizes to address their digital exposures effectively.