For SMEs
The Small Business Guide to Cyber Insurance
What is it
Why you need it
How to get it
What the future holds
Contents
What is cyber insurance?
Cyber insurance is a speciality insurance product that protects businesses from cyber risks, and those related to IT infrastructure and data management. Cyber insurance gives businesses the resources they need to respond to cyberattacks at a fraction of the real cost.
Businesses need cyber insurance because cyberattacks are not a threat – but a reality of everyday life. In the last 12 months, 39% of UK businesses identified a cyberattack and there is ample evidence to show that many attacks go undetected and unreported.
Businesses need cyber insurance because cyberattacks are not a threat– but a reality of everyday life.
In the last 12 months, 39% of UK businesses identified a cyberattack and there is ample evidence to show that many attacks go undetected and unreported.
Those are scary figures, to be sure. But the one that proves that cyberattacks are a day-to-day reality is this one about cyber fatigue:
Cyber fatigue, or apathy to proactively defend against cyberattacks, affects as much as 42% of companies. - Cisco
Cybersecurity is now so common that it’s boring. And when something looks boring, it becomes even more dangerous. Cyber insurance means that if you do experience a breach, you won’t lose your shirt in the process.
But cyber insurance won’t instantly solve all your cybersecurity issues, nor prevent a network breach. Just as homeowners with household insurance are expected to have adequate security measures in place, businesses must put measures in place to protect their digital environment.
Why do small
businesses need
cyber insurance?
Most business liability insurance policies cover some aspect of cyber liability, up to a specific value. But, as with many insurance products, specific insurance provides more comprehensive coverage. Without insurance, businesses spend £3.6 million on average recovering from cybersecurity breaches. For an enterprise-level business, this cost hurts but can be absorbed. Small businesses face ruin if they’re caught by such sudden costs.
Professional services by numbers
The security landscape
The professional services industry is prone to attack. Cybercriminals target organisations three times a week, on average. Threat actors know there’s a lot on the line for their victims, which gives them an incentive to attack.
Why Do Cybercriminals Target Supply Chains?
For many cybercriminals, suppliers represent the weakest point in the target’s digital defences. Especially at the enterprise level.
Breaching an enterprise’s digital defences is tough. With substantial resources at their disposal, enterprises can afford to invest in the best cybersecurity tools and processes to keep their assets safe. But cybercriminals have learned that they don’t need to target a corporate giant directly to get what they want.
Suppliers and service providers can’t afford the same level of protection. By attacking the weakest link in a supply chain, cybercriminals can side-step the product or service provider’s defensive perimeter and gain access to their systems.
Supply chain attacks are particularly effective because of the implicit trust businesses place in their suppliers. Only 13% of UK businesses assess the cyber risks posed by their immediate suppliers, according to recent government data. And that figure drops to just 7% for the wider supply chain. Cybercriminals exploit this confidence to target richer pickings further downstream.
Most common cyber threats to UK businesses
Phishing Attempts
Social engineering tactics that are designed to trick people into sharing personal data or confidential business information. Phishing is the most common type of cyber threat to UK businesses. 83% of UK businesses that identify a cyberattack are hit by a phishing attempt.
Denial of service
Networks disrupted by an overwhelming volume of traffic, requests, and data.
Malware
Software designed to harm a computer, server, or network. It can steal information, delete files, or damage equipment.
Ransomware
Malware that encrypts your files and demands payment in exchange for decryption.
What does cyber
insurance cover?
Cyber insurance covers a range of cyber risks, including:
Accidental privacy breaches
Business disruption
Denial-of-service attacks
Hacking, extortion, ransomware
Loss of income and data restoration
Malware
Some business liability insurance policies have additional features that cover dimensions of these risks.
Dedicated cyber insurance also covers:
Hiring cybersecurity experts to investigate breaches and their causes
Additional activities required to meet regulatory requirements
Incident response
Implementing a system to notify affected individuals about data breaches
Credit monitoring services or anti-fraud protection for those affected
Public relations support to offset reputational damage
Types of cyber insurance
The type of cyber insurance your business chooses should be based on the risk appetite of your company and what needs protecting. When it comes to cyberattacks, the business that’s being attacked is not the only party that can potentially suffer losses. As we’ll discover later, other businesses in your supply chain could be targets too.
First-party vs third-party cyber insurance
First-party cyber insurance provides the cover for losses and recovery to your business.
Third-party cyber insurance provides cover to partners, suppliers, and contractors that are hit by a cyberattack. Third-party cyber insurance (like third-party car insurance) can also provide protection if another company makes a claim against you for errors that you’ve made which have led to losses or damages to them.
This is useful when we consider the fact that 82% of data breaches are due to human error – sometimes due to social engineering, but just as much as a result of genuine error or misuse.
Specific types of
cyber insurance
Within the field of cyber insurance, you can find specific types of coverage.
Business interruptionCovers lost income and related costs where a policyholder is unable to conduct business due to a cyber event or data loss.
Computer data loss and restoration
Covers physical damage or loss of
computer-related assets. This can include the costs of data retrieval and restoration as well as replacing hardware, software, or other.Data restoration
Covers expenses related to the restoration or recreation of data that were lost due to security or system failure.
Ransomware
Malware that encrypts your files and demands payment in exchange for decryption.
Forensic investigation
Covers the services necessary to assess whether a cyberattack has occurred and to assess its impact.
Ransom/extortion
Provides coverage for the costs associated with the investigation of threats to commit cyberattacks against your systems and for payments to extortionists who threaten to obtain and disclose sensitive information. It also covers the costs of paying encrypted data ransoms.
Cyber insurance
requirements
So, what do you need to do to get cyber insurance?
To successfully apply for cyber insurance, most providers carry out a cyber insurance risk assessment as part of their underwriting process. Depending on the size of your company, this process can range from a simple questionnaire to a detailed forensic analysis that can take weeks to complete.
Part of the reason for this is that cyber insurance is a new, and thus volatile, market. The lack of historic data and the speed of technology’s evolution make it difficult for insurers to accurately access the risk to businesses. By setting minimum security standards for businesses, insurers can create a reasonable baseline.
If you’re interested in cyber insurance, you’ll need at least the following safety measures in place:
You may recognise these measures as the five technical controls of Cyber Essentials and you’d be right!
Some UK insurers use Cyber Essentials as a minimum standard to keep risks – and premiums – at an acceptable level.
So, if you want cyber insurance, start by getting Cyber Essentials certified.
Cyber insurance costs
Just like health insurance, cyber insurance has a monthly premium. Costs vary and new products are entering the market to offer comprehensive cover at a price SMEs can afford.
But as we’ve already discovered, the lack of long-term data makes it difficult for insurers to assess the risk they are taking on. With an increased demand for coverage coupled with an alarmingly high rise in cybercrime hitting UK businesses, the price of cyber insurance is going up. According to one risk management firm, the cost of cyber insurance went up by 130% in the last quarter of 2021 alone.
Big fact
The UK has the highest number of cybercrime victims per million Internet users at 4,783 in November 2022 – up 40% over 2020 figures.
Types of cyber
insurance claims
Here are three examples of the kinds of scenarios that you can claim on your cyber insurance.
Business disruption due to
cyberattack
The website that your online building supplies business runs on crashes due to a cyberattack on the web service firm that hosts your site.
Your cyber policy pays out for all projected profits lost during your company’s downtime, even if the outage happened at a third-party business you depend on.
Ransomware shuts down your business
A member of staff accidentally opens a malicious email and downloads ransomware on to your business’s system. Your files are encrypted and the perpetrator is demanding a ransom in exchange for their decryption.
Your cyber insurance policy covers the ransom demand to unlock your system and covers profits lost due to business interruption.
Business disruption due to
cyberattack
The app-based POS system you use in your small retail store or market stall is hacked. Customers’ private card details are stolen by a nefarious actor. You must pay compensation and fines as a result.
Your cyber insurance policy covers your legal costs and compensation payments due to affected customers, as well as any fines for PCI DSS non-compliance.
Benefits of cyber
insurance
The benefits of cyber insurance are like those of any insurance product. You get peace of mind, support for when things go wrong, and can get back to your pre-disaster position faster. Another benefit of cyber insurance is that simply by meeting the requirements, you improve your general cybersecurity.
- Peace of mind
- Expert technical support
- Get back to business faster
- Improved in-house cybersecurity
As a specialist insurance product, cybersecurity covers the things that general business liability policies don’t. Not every general policy covers losses related to data breaches, especially when it comes to covering the loss of data.
Supplementing your insurance with cyber coverage can provide you with peace of mind that, in the event of an attack, your business’s financial and reputational well-being is protected
5 Cyber insurance trends & challenges
for 2023
Phishing might be popular, but ransomware is on the rise
83% of UK businesses that identified a cyberattack in 2021 were hit by a phishing attempt. But research by NCC Group reveals that ransomware attacks have risen by 92.7% in the last year. Ransomware has a unique place within cyber insurance. The question as to whether or not to pay a ransom or simply take the loss and deploy recovery countermeasures is hotly debated. Businesses may have internal policies to refuse to pay ransoms even if they’re covered. Insurers may not cover ransoms because there’s no guarantee that you’ll get your data back even if you pay. New threats mean that risk models need to change. Insurers need to move faster to keep up with the times and deliver products that businesses really need.
Premiums are on the rise
82% of cyber insurers expect to raise their premiums over the next two years. This is because the loss ratio (the losses an insurer incurs due to paid claims as a percentage of premiums earned) on cyber insurance is so high. In 2020, the loss ratio on cyber insurance was 66.9%. But, as Panaseer explains, “three of the insurers in the group saw losses exceed 100% of their total premiums”. So, it costs more to insure people than it’s worth. The result is that more large businesses are self-insuring – putting cash aside to cover themselves in the event of a breach. That’s great for large businesses, but as we race into a recession, where does that leave small businesses? Without intervention and cost-effective, comprehensive support, small UK businesses that are hit by a cyberattack will go under.
Cyber insurance adoption is low and claims are lower
The UK government’s 2022 Security Breaches Survey concluded that cybersecurity is now seen as a high priority by a greater proportion of businesses than in any other year of the survey… In the qualitative interviews, it was found that this was driven by a good high-level understanding at the senior level of the risks cyberattacks pose.” This trend suggests that SMEs are actively looking for cybersecurity tools and talent to bolster their businesses.
Supply chains are increasingly under attack
Supply chains are an increasingly enticing target for hackers who exploit the trust enterprises have in suppliers. Research from ENISA suggests that 62% of attacks on enterprises take advantage of supply chain relationships. This is a major problem because FSB research suggests that 77% of smaller businesses within the UK are part of supply chains. So, while your business might not be the true target of a cyberattack, a trusted customer further up the supply chain could be. As such, potential customers may start looking harder at the cybersecurity policies that potential suppliers and partners have in place.
“Of those with some form of cyber insurance, a tiny proportion of businesses and charities report having made an insurance claim to date. It is less than one per cent among businesses and two per cent of those charities with cyber security insurance in place."
This shows us that the cyber insurance market is still in an immature state, with plenty of room to grow. What this means for businesses is that there are opportunities for better, more relevant, and cost-effective products to meet specific needs.
The lack of claims may indicate the effectiveness of the cyber insurance minimum requirements. By having these elements in place, businesses are protected from over 90% of common cyberattacks.
Protect your business with CyberSmart
Protecting your business on a budget is tricky. Calling in the experts or investing in the latest tools is expensive. So what can you do?
Choose Active Protect from CyberSmart. Active Protect secures all employee devices that touch your company data. Simply send the downloadable link to your staff and Active Protect will check around the clock for the most common cyber threats and vulnerabilities – giving you everything you need to proactively manage risk.