Majority of UK firms not insured against security breaches and data loss

Current estimates are that annual losses to UK businesses from cybercrime exceed £29 billion. Yet research published in the recent Risk:Value report from NTT Security shows that, whilst 81% of the senior executives surveyed believed that adequate insurance against data breach is essential, nearly half are unaware of what their companies’ insurance policies cover and only one third feel that their insurance is adequate.

The report has canvassed opinion from 1800 global senior executives, and the results indicate that UK businesses would need to spend, on average, £1 million to recover from a breach.

More than 70% of insurers trading through Lloyd’s of London now offer such cover, which is a dramatic increase and a sign of the seriousness of the issue. Allianz believes that by 2025 cyber insurance premiums globally will have risen from their current $3-4 billion, to $20 billion. However, experts are warning that companies must avoid any tendency to view adequate insurance as a reason to rest easy over their data protection practices. In the event of a breach, there will be no insurance payout if a company is found to have been careless.

One of the issues that has been addressed is the problematic need for specialist knowledge in order fully to understand the terms of a cyber insurance policy. Smaller businesses that do not employ dedicated cyber security professionals could fall foul of an innocent misunderstanding and find themselves with no cover. Clearly there is a need to make things easier for the average person.

At present a complex and extensive list of factors is taken into consideration when an insurer is assessing risk, but so far the assessments have concentrated, in the most part, on the entity being insured. This, of course, takes little account of third-party risk - how do the companies that work with the insured entity on a daily basis, handling data in the process, also contribute to the assessment of risk? It is in this area that some of the most complicated and, potentially, costly evaluations will need to be made going forward. It isn’t going to get easier any time soon.

Two things of which there can be no doubt. Firstly, there is an immense amount of work to be done. Secondly, in addition to simplifying the jargon, some kind of education programme may well be needed to help people better to understand both the insurance they have and the insurance they need.