Listen to this article
An attack can seem very innocent at first. It can look exactly like an email from the chief executive or a message from a supplier or a bank. But links in malicious messages can set off a devastating sequence of events that could lead to data loss, unwanted encryption of systems and ransom demands, or damage to property if connected infrastructure control systems are hijacked.
For large companies, cyber attacks can be an unwelcome distraction that takes a while to sort out. For small and medium-sized businesses, the impact can be far more serious. “Large companies appreciate the risks quicker but small companies face even more severe risks,” says Stephen Ridley, head of UK cyber business at insurer Hiscox. “Even a small breach could be curtains for them. Something mundane could turn out to be incredibly problematic.”
The problem for smaller companies is attacks are becoming more common. According to a UK government report published in May, a third of small businesses has had a cyber breach over the past 12 months. For medium-sized businesses, that figure rises to just over half.
It is no surprise, then, that the insurance industry sees cyber attacks as a business opportunity.
The cyber insurance market for large businesses is already well developed but providing cover for small businesses is currently much less widespread.
Mark Camillo, cyber leader at insurer AIG, estimates that less than 2 per cent of businesses in Europe have some sort of cyber insurance. “Small companies don’t think they’re going to be targeted with this sort of attack,” he says, “so it is a surprise when they are hit.” In the US, cyber insurance is well established. Laws require companies to report to both regulators and affected customers when information has been stolen, and insurance covers them for the costs of making these reports.
Jamie Bouloux, a cyber expert at insurer Ryan Specialty Group, says: “Notification charges can be huge in the US, and there is also the potential for class action lawsuits.”
An EU data protection regulation, due to come into force in 2018, will impose similar requirements on European companies. This is expected to spur a much wider take up of cyber insurance.
“There are obligations to report data breaches to regulators and individuals in some circumstances and, where this needs to be done, the timescales are short,” says John Benjamin, partner at law firm DWF.
He says the EU regulation will result in a much higher standard of privacy protection than that provided by US legislation, where the rights of the individual are not as well protected.
Mr Benjamin adds: “Potential fines will be a lot higher than those provided under current law. They will be similar to antitrust-style penalties, which are based on global turnover.”
Cyber insurance can cover business interruption, damage that hackers cause to IT systems, extortion (where a ransom is demanded, with payment often required in the digital currency bitcoin) and the costs of dealing with any legal or regulatory investigations. It will not, however, cover the costs of fines and penalties. The EU rules allow fines of up to 4 per cent of global annual turnover in the event of a breach.
For the insurers, helping clients to deal with the practical consequences of a breach, rather than simply sending a cheque to pay a claim, is a big selling point. “The most important part of the cover is the claim response and the direct access to service providers. A big part of it is the crisis management piece,” says Mr Ridley, of Hiscox. Services provided by insurers can include IT forensics specialists, who can work out exactly what has happened, legal advice and public relations consultants, who can help the company to send out the right message to its customers.
Some policies are also preventive. “A lot of cyber policies now include loss prevention to help a small business stop getting hacked in the first place,” says Mr Camillo.
“That can include devices which are updated every 10 minutes with information on the latest hacking groups.”
It can also include training to help businesses better understand the risks.
Prices, according to Mr Camillo, can start at about £50 for £25,000 of cover and then rise from there. He says that costs for bigger policies, which can provide £5m or more of cover, vary from 0.5 per cent of the sum insured to 2 per cent, depending on the exact type of insurance bought.
The price can also vary by industry. “A credit card processor or a health facility with access to sensitive medical data would pay more than a company without access to these records, such as a manufacturer,” says Mr Camillo.
Nevertheless, a lot of small businesses choose to operate without standalone cyber insurance. That is partly because some elements of cover are already provided in existing policies. Property, professional indemnity or kidnap and ransom policies sometimes provide cyber cover, or at least do not specifically exclude cyber attacks in their policies.
Insurers believe there is plenty of potential to increase the take-up of cyber insurance policies. “The standalone cyber insurance market for SMEs hasn’t quite picked up as we might have expected,” says Mr Bouloux of Ryan Specialty. “Lots of companies aren’t aware that the product exists or aren’t aware that they could be a target. But awareness is growing.
“There is a lot more publicity around the fact that small companies can be a target due to a lack of training, a lack of security management, small IT budgets or the use of older operating systems.”
Cyber insurance: what to look for in a policy
The Association of British Insurers has produced a guide for SMEs thinking of buying cyber insurance. It highlights six things that SMEs should look out for in their cover:
• Loss of income caused by a cyber attack.
• Costs associated with privacy breaches. This can include the costs of notifying customers and any legal costs that arise.
• Cyber extortion demands.
• Protection against loss or damage to data.
• Legal claims relating to the company’s digital media presence.
• Forensic support from IT specialists after a breach.