Government research has found that just 11% of businesses have taken out specific cyber security insurance policies.
According to the Cyber Security Breaches Survey 2019, while the overall percentage did not significantly change year-on-year, in 2019, it has risen for medium businesses, 31%, vs. 19% in 2018, and large businesses, 35%, vs. 24% in 2018, suggesting that the cyber insurance market has experienced growth in the last 12 months.
A further 15% of businesses and 10% of charities have previously considered but ruled out having cyber insurance.
Of those who have cyber insurance, a very small proportion have made an insurance claim, 3% of businesses and 12% of charities.
Mondelez vs.Zurich: How watertight is cyber insurance coverage?
“That just one in ten businesses have cyber insurance policies is concerning considering the serious losses organisations can suffer from a data breach, particularly if it is not dealt with as efficiently as possible,” said Richard Breavington, partner at law firm RPC. “The police just don’t have the resources to pursue anything more than the very tip of the cybercrime iceberg, so paying for a private sector fix through insurance can hold real value.
“If a business suffers a serious cyber-attack, then insurance can provide the forensic help to bring a halt to the cyber-attack and get systems up and running, as well as covering the cost of the inevitable fallout.”
Reasons for not taking up cyber insurance
Among the 1,566 UK businesses and 514 UK registered charities surveyed, the main reasons for not having cyber insurance are:
- They are already covered by their external cyber security providers — 23% for businesses and 26% for charities;
- They lack an awareness of what cyber insurance is — 23% for businesses and 15% for charities;
- They consider themselves as being at too low of a risk — 29% for charities and 22% for businesses.
Commenting on the figures, the Association of British Insurers (ABI) stated: “The rise in the number of large and medium-sized firms having cyber insurance reflects greater awareness of the value of this cover, as insurers play a vital role in supporting customers to recover from an attack, and in helping them manage the cyber threat. But we need to do more to promote this insurance to smaller firms, who are often the least protected against cyber criminals.”
Qualitative views on cyber insurance
For the survey, the Government spoke with various organisations with cyber insurance policies and found several common motivations for adopting their policies.
Many believe the cyber insurance market has simply become more developed, with policies appearing to be more accessible than before, and with some organisations saying that insurance premiums had decreased.
Beyond the level of liability being offered, many organisations said they their main drivers for taking out policies were often the extras that went alongside any payment, such as having access to a breach management team or a forensics team to analyse the breach.
Cyber insurance: Information Age’s comprehensive guide to cyber liability insurance
Some organisations that supplied other businesses were using cyber insurance as a proxy form of accreditation. Having insurance was something they could advertise to their business clients to demonstrate they had undertaken due diligence.
In some organisations, the individuals responsible for cyber security did not have a clear understanding of what the insurance covered. They had agreed to take it on for peace of mind, on the advice of their insurance broker. In these cases, the insurance broker was a particularly powerful influencer.