Few UK firms are cyber insured despite financial losses

Some 22% of UK businesses have suffered a cyber attack that has cost them financially, according to a survey of more than 1,000 senior decision-makers from UK firms ranging from sole traders to large corporations.

More than half of these organisations have been hit more than once, and 3% say they have been hit more than 10 times, according to the YouGov survey commissioned by UK-based global commercial and business insurance broker SJL Insurance.

The bulk of those respondents (87%) that knew how much the business had suffered financially as a result of their most recent cyber attack reported losses of up to £99,999.

At the upper end of the scale, 9% reported losses of between £100,000 and £499,999, while 2% reported losses of up to £250m. In all cases, losses include direct losses as well as remediation and repair costs and other costs associated with dealing with the attack and restoring reputational damage.

Despite these losses, the survey found that only 39% of businesses affected by cyber crime had cyber insurance at the time of the most recent attack, with 53% admitting they did not have cyber insurance and 8% saying they did not know or could not remember.

At least 46% of senior decision-makers said their business had never had cyber insurance, which is putting UK businesses at a higher level of unnecessary risk, with a further 31% not knowing, which means up to 77% may never have had cyber insurance.

According to the report, the losses reported by some companies would be enough to put others out of business, highlighting the need for appropriate cyber insurance tailored to specific business risks.

Simon Lancaster, CEO of SJL Insurance, said the survey had found some alarming trends, both in how many businesses had suffered a cyber loss and how many had inadequate insurance protection against losses.

“We are keen to educate companies about how they can protect themselves against this emerging threat, in the same way as they do against traditional losses such as fire and theft,” he said.

Lancaster said he was “on a mission” to help UK firms have a better chance of making a successful insurance claim and advising them how to protect themselves.

“We have discovered that many companies take out cyber insurance as an add-on policy on the back of their professional indemnity insurance, but these usually do not cover the company robustly,” he said.

Lancaster pointed out that commercial insurance brokers can carry out a risk analysis of businesses to source the correct cyber policy that, in addition to third-party liability, covers them for action taken against them arising from a cyber event.

He said cyber insurance should include business interruption cover, cover for cyber incidents experienced by suppliers, and accidental cover for accidents caused by a member of staff.

Rob Shapland, ethical hacker at Falanx Cyber, said the survey findings emphasise the risk that businesses of all sizes are facing from cyber crime and the financial implications of not being prepared.

“Relatively small investments in cyber defence, such as awareness training for staff, regular penetration testing and managed detection and response services, can ensure that not only is the business protected, but also has the ability to respond appropriately should an attack occur,”  he said.