Paul Cullum, Product Development Manager, HSB Engineering Insurance, looks at cyber insurance
The UK insurance market loves to talk about cyber. It is hard to escape it. Tesco Bank, Talk Talk, PayPal, Sony, and even the US Democratic Party presidential campaign have all been hacked – and these are just a few of the ones we know about.
UK cyber insurance however is still a nascent market, with fewer policies actually being sold than are being talked about. But this is likely to change in Spring 2018 when the General Data Protection Regulations come into force, requiring far more disclosure from businesses if data is compromised.
In the US, legislation to disclose data breaches has been the biggest driver of cyber insurance as it completely changes the loss experience and adds potentially major and unexpected costs.
Most cyber losses don’t involve state-sponsored hacking or coordinated attacks. They are far more mundane and closer to home – lost laptops or memory sticks, errors or intrusions from service providers and, by far the biggest cause, employees.
Currently, the most common types of cyber attack in the UK include the relatively low tech phishing (pretending to be someone else to trick people into sending bank or financial details), or ransomware (inserting, or threatening to insert a virus, or to disclose sensitive information, unless paid).
While big firms and big losses make the headlines, and are where the majority of cyber insurance policies are currently targeted, a sense of proportionality needs to be taken when it comes to smaller businesses: both in terms of their losses and also in terms of the type of cyber insurance policy that might be most effective for them.
Cyber cover for SMEs is important because of the higher chance of any loss being significant. For a small business a £30,000 loss could well be catastrophic.
Many small to medium enterprises (SMEs) will not have a dedicated IT department, or the in-house knowledge to prevent a cyber loss. Cover needs to be tailored for the size of business however, and not just a pared down version of the cyber cover provided to large corporates. Fortunately more SME-focused cyber solutions are now becoming available to meet this need.
Adherence to the UK Government’s Cyber Essentials list would be a good start for all businesses, whatever their size. Regularly changing passwords so they can’t be easily guessed sounds straightforward but many firms don’t even go this far, as a recent US cyber attack revealed, after hackers commandeered thousands of devices whose passwords were still on factory settings.
In the aftermath of every hurricane or flood, demand for insurance to cover that risk always jumps sharply. Most SMEs should not be running the risk of a significant cyber loss before contemplating getting cover for it.