A recent stream of high-profile cyber attacks demonstrates how many companies are falling victim to hackers. Yet in reality, many more incidents go unreported and undiscovered. In fact, the recent 2014 Information Security Breaches Survey from the Department for Business Innovation & Skills (BIS) estimated that up to 70% of companies keep their worst security breaches under wraps. In addition, the World Economic Forum’s Global Risk Report for 2015 ranked cyber alongside geopolitics, climate change and economic turbulence as one of the top risks for business. So why then, are the vast majority of large and small UK businesses not buying insurance to help manage their cyber risks?
Simply put, more needs to be done to educate companies on their cyber exposure. To date there has been a relatively low take-up rate of cyber insurance in the UK. But this looks set to change. Our own research shows encouraging signs in terms of intention to buy, with over 41% of the small businesses we spoke to in January saying they intended to buy a cyber policy in the next 12 months. That’s why we believe the UK cyber insurance market could double or even treble this year.
But there is still a worrying lack of understanding about cyber risks. Many companies struggle to comprehend – and therefore mitigate – their own weaknesses to attacks. At the same time, many insurance brokers admit to not having the confidence to speak to clients about the value cyber insurance can provide.
It is in the industry’s interest to bridge this knowledge gap. Insurers and brokers must work together on what is a growing issue.
This is why we have committed to working with 11 other insurers and the Cabinet Office on the role of insurance in managing the risk as well as what more can be done to assist companies in becoming more resilient to the threat of attacks.
For example, the lack of common definitions among insurers for terms such as “breach costs” and “cloud provider”, and the wide differences between insurers’ policies may be creating an unnecessary barrier to purchase.
In addition, we believe that the creation of a “buyer’s guide”, could help drive harmonization in cyber risk policy wordings and improve clarity for the purchase decision-makers.
The Industry also needs to look at itself and consider how good it is at managing its own data risks. Insurers and brokers are the custodians of huge amounts of confidential customer information and they are not immune to being targeted by cyber criminals just as many other companies are. A recent fine imposed on a travel insurer by the Information Commissioner’s Office is an example of this; we are not beyond reproach.
In cyber risk mitigation, there is a role for everyone. It is important that businesses, insurers and government work together to help make UK companies more resilient to future cyber threats. It is an opportunity to give London the status as a global centre for cyber risk insurance. And the demand for cover is there, so we must all seize the opportunity.