Cyber insurance: Are UK businesses avoiding coverage?

Cyber risk remains a key boardroom concern among the UK’s most prominent organisations. The latest Financial Times and ICSA survey revealed 80 per cent of FTSE 350 companies consider cyber attacks their biggest management concern, while 90 per cent are increasing spending on cyber risk mitigation.

 

Comprehensive insurance is usually a key ingredient in many risk management strategies. However, a recent UK government report showed less than one-in-ten businesses have invested in specific cyber insurance policies. The figure climbs to nearly one-quarter of medium and large organisations, but this still seems low given the emphasis that senior executives are placing on tackling cyber risk.

 

Why are so few businesses purchasing cyber insurance? Let’s examine some of the reasons why organisations may be forgoing cover.

1. The risks don’t warrant insurance 

Forty-three per cent of businesses reported suffering a cyber security breach in the last 12 months, according to the government’s report. But the majority of incidents don’t result in specific financial costs, as many organisations don’t lose data or assets.

 

Where businesses do suffer losses, the average cost is £3,100, rising to £22,300 for large organisations, the government’s statistics show. Many enterprises, particularly smaller ones, therefore feel the risks they face simply don’t warrant purchasing expensive cyber insurance policies.

 

In fact, 41 per cent of UK businesses that have neglected to purchase cyber insurance claimed they don’t think cyber attacks pose a realistic threat to their operation.

2. Cyber security budgets may be better spent elsewhere

Insurance is designed to provide a financial safety net when things go wrong, but many organisations may already be confident in their cyber security defences. This means security and resilience departments may prefer to invest their budgets into other areas of cyber risk strategies instead of insurance.

 

Furthermore, the average cost of a breach in the government study was just £3,100. If this figure is accurate, most organisations would probably spend more on a cyber insurance policy than it would cost to resolve the problem independently.

 

Even if cyber professionals are keen to purchase insurance, they are rarely the people in charge of these decisions and could face difficulties securing senior executive approval.

3. The evolving complexity of cyber risk 

Cyber criminals are growing increasingly sophisticated and breaches can impact multiple areas of a business, from customer-facing channels through to the supply chain. Unlike natural disasters, malicious digital threats adapt and evolve to overcome existing defences.

 

Insurers must therefore constantly update their policies to take into account the changing cyber risk landscape. There is also relatively little historic claims data on which to base their calculations for premiums.

 

The disadvantage for businesses is that they are likely to face higher costs for insurance, more payout exclusions and policies that could quickly become outdated as new threats appear.

4. Fear that cyber policies won’t pay out 

As the cyber insurance market grows, media reports are already beginning to emerge about companies pursuing litigation against insurers that refused to indemnify policyholders when breaches occurred.

 

In the US, the National Bank of Blacksburg suffered losses of $2.4 million when it was hacked twice in 2016 and 2017. The bank had expected most of the costs to be covered under an $8 million (£6.2 million) single loss liability section of its cyber insurance, but it was instead only offered $50,000.

 

The insurer ruled the breaches had fallen under a different clause of the policy, which drastically reduced the payout. This is just one of a number of examples where convoluted cyber insurance policies have left companies holding the bill after purchasing cover in good faith.

5. The global impact of a major cyber attack 

We are yet to see how insurers would deal with a catastrophic cyber event that has a significant impact on multiple businesses worldwide.

 

A single incident, if serious and widespread enough, could cause losses similar to a natural disaster. For example, Lloyds of London estimated that the direct costs of a major disruption to global cloud services could surpass $121 billion.

 

Crucially, insurers could face phenomenal accumulation risk in these circumstances, whereby cyber attacks impact across several lines of business within their portfolios. For example, a breach could create claims for supply chain failures, business interruption and reputational damage.

Is cyber insurance worth the investment? 

More and more organisations are investing in cyber insurance. A recent study from FICO showed that just ten per cent of UK businesses have zero coverage in 2018, down from 38 per cent last year.

 

However, the same survey revealed only 38 per cent have comprehensive policies that provide full risk protection. Most respondents also claimed their cyber insurance wasn’t based on an accurate assessment of their firm’s individual risk.

 

What does this mean? Essentially, while many businesses are buying insurance, the majority could be purchasing policies that aren’t tailored to their needs and won’t pay out in a crisis.

 

The cyber insurance market is still finding its feet, and many businesses may feel current policy offerings don’t offer enough peace of mind to earn their investment.

Building stronger cyber security defences

Any organisation purchasing cyber insurance should ensure their policy adequately covers their business for all the risks it faces, particularly problems that are likely to occur or are expensive to remedy. Be aware of exclusions or ambiguous terms and conditions that could eliminate coverage.

 

Many policies do not cover terrorism-related breaches or human error. The latter is a common source of problems, with IBM finding there was a 424 per cent jump in breaches due to misconfigured cloud infrastructures in 2018, most of which occurred because of staff mistakes.

 

Much as property owners are expected to meet a minimum threshold of care to receive a home insurance payout – such as locking doors and setting alarms – businesses must also have effective cyber security defences in place.

 

Are your security and resilience teams well resourced enough to tackle today’s cyber security threats? If you’d like to discuss your recruitment needs, please phone us on 020 7936 2601 or email me directly at sjd@barclaysimpson.com.

 

Our 2018 Market Reports combine our review of the prevailing conditions in the security & resilience recruitment market with the results of our latest employer survey.

 

Image credit: BCFC via iStock