Why is the US streets ahead of the UK when it comes to businesses adopting cyber insurance? And what can we learn from our American cousins?
Why is cyber insurance important?
To illustrate why cyber insurance is important, let’s compare it to a business insurance policy. It’s widely accepted that any organisation operating without business insurance is at best foolhardy and at worst crazy. There are so many potential things that could go wrong.
You could be the victim of fraud, a workplace accident could lead to legal action against you, or an electrical fire could turn your hardware into a husk of melted plastic. The possibilities are endless and any one of them could seriously damage or even end your business.
It’s vital for your business’s health (and a good night’s sleep) to know you’re covered should the worst happen.
The same is true of cyber insurance. We’re unused to thinking of it in the same way as business cover, but cyber insurance is becoming increasingly necessary. Up to 88% of UK companies have suffered breaches in the last 12 months, according to Carbon Black. Meanwhile, Hiscox reports that a UK SME is successfully hacked every 19 seconds.
Up to 88% of UK companies have suffered breaches in the last 12 months.
All this means that UK SMEs are experiencing double the number of cyber risks that they did in 2018 with the average cost of a breach also quadrupling. There’s a clear case for widespread cyber insurance adoption, so how are UK businesses doing?
What does the cyber insurance market look like in the UK?
Given the risks we’ve just outlined, you might think that British businesses are clamouring for cyber cover. But, unfortunately, cyber insurance adoption is relatively low in the UK.
There are a couple of reasons for this. The first is a simple case of awareness. As we mentioned earlier, getting business insurance is considered common sense by most organisations. However, awareness of the need for cyber insurance lags some way behind. We simply aren’t used to considering it as an everyday business cost. After all, if you’re lucky enough to have never been successfully attacked, why would you?
The second reason is the cost. A Deloitte survey, looking at 504 middle-market commercial insurance buyers, found that 41% of businesses claimed insurance costs were too high. And 33% of organisations reported ‘dissatisfaction with the service.
41% of UK businesses claim insurance costs are too high.
However, it’s not all bad news. 41% of businesses still purchased cyber insurance after conducting a risk assessment. What’s more, a further 41% were prompted to buy a standalone insurance product by attacks on other industries.
Why is the US ahead?
There’s an old adage that ‘everything’s bigger in America’. It’s usually said sarcastically by embittered Europeans, but when it comes to cyber insurance it’s true.
Despite net premiums being low for an insurance market ($1.94b in 2018), the US market is growing fast. 40% of US businesses purchased cyber coverage in 2018, with a further 40% buying for the first time in 2019. During the same period, the average US cyber claim size shot up to around $181k for an SME and over $5.5m for a large business.
So why is the US market more advanced than what we’re currently seeing in the UK?
It’s partly because the US is at the forefront of the fight against cybercrime. The US currently leads the world in data breaches with an average breach cost of $8.64 million and is the second most attacked country on earth after Germany. So for companies based in the US, cyber threats are seen as part and parcel of business.
The average cost of a data breach in the US is $8.64 million.
However, it’s also down to public perceptions of cybercrime. Many of the most high-profile cyberattacks have been on large American companies such as Twitter, Microsoft and Marriott, meaning cybercrime is given loud and regular media coverage. This makes the threat appear much more immediate than elsewhere.
What can the UK learn from the US?
Before we delve into what the UK can learn, it’s important to note that the US market has its limitations. As recently as 2017, 75% of SMEs in the US didn’t have cyber insurance, meaning adoption hasn’t always been as widespread as figures suggest. And there’s still some mistrust of the industry. For evidence, look no further than US Pharma Giant, Merck which found itself at the centre of a media storm after being denied a payout following a breach.
But for the time being, at least, the US remains ahead of the UK market. So what can we learn?
Close the expectation gap
First, UK insurers need to close the expectation gap between service and consumer within the industry. Many small businesses view themselves as not ‘valuable enough’ to be attacked. And insurers need to do more to convince SMEs that they’re being threatened because they’re ‘vulnerable rather than valuable’.
Update the industry model
One of the biggest barriers to greater adoption of cyber insurance is the perception among SMEs that it’s expensive.
The current cyber insurance model was created in the early 2000s, aimed at multinationals and large tech firms on the west coast of America. The world has changed a lot since then. In an age where even the smallest businesses are online, a new approach is needed. Insurance professionals need a better understanding of the financial limitations of their market and a pricing structure to suit.
Make it easier to address cybersecurity concerns
Perhaps the greatest difference between the US and the UK market is how proactive US insurers are. In the UK, we tend to focus on educating businesses on the importance of cybersecurity rather than helping them to get cyber secure.
Cybersecurity can be confusing and for a small business owner, the prospect of going it alone can be daunting. So more needs to be done to guide businesses along the path to better cyber hygiene. For example, recommending all clients get Cyber Essentials certified is a great start.
What does the future hold?
Although the UK is currently behind the US, things are unlikely to stay that way for long. The US market is slowing. Meanwhile, many insurance brokers in the City of London are targeting cyber insurance as a key area for growth post-covid.
So are we about to enter a future where cyber insurance becomes as commonplace as business or contents insurance? That depends on insurers adapting the current, dated model in favour of an approach that supports SMEs.
Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the basics of cyber hygiene.