Two-thirds of UK businesses not insured against data breaches

Only one third of senior executives in UK organisations admit their company insurance currently covers them for a security breach and for the financial impact of data loss, despite the fact that 81 per cent agree that it is vital their organisation is insured against information security breaches.

The figures come from the latest Risk:Value report from NTT Security, which also found that less than a third (29 per cent) of firms have dedicated cybersecurity insurance in place. The 2018 report, which examined the attitudes of 1,800 global senior decision makers to information security risks revelaed that UK businesses would have to spend an average of £1m to recover from a breach.

While the UK compares poorly to some other markets such as the US and Singapore when it comes to insuring against both information security breaches and data loss, it still fairs better than much of Europe. The UK outperformed Benelux (27 per cent), Norway (28 per cent) and Sweden (23 per cent) in this regard. However, it also ranked second from last for having dedicated cybersecurity insurance, alongside Germany and just above Benelux (27 per cent).

Just six per cent of repondents in the UK said their company insurance covers only for information security breaches, while 11 per cent are covered only for data loss. However, of greater concern is that 45 per cent did not know if their company insurance covered either of these activities – the highest rate in the report, and well above the global average of 23 per cent.

“With estimated annual losses from cyber crime now topping $400bn (£310bn) according to the Center for Strategic and International Studies, you would hope more organisations would be beating a path to insurers doors,” said Kai Grunwitz, senior vice president for EMEA at NTT Security. “But while the insurance sector is certainly seeing growth in the number of policies being taken out to cover such losses, its an issue that many senior decisions makers are not on top of.”

The report by NTT Security also found that half of respondents in UK organisations believed that a failure to maintain or apply updates to existing IT systems would or could invalidate their company insurance, while 37 per cent believed such a failure would also result  in a lack of compliance with industry regulations, including GDPR.

The number of insurers offering cyber insurance via Lloyds of London has grown to more than 70 in 2018, almost double what it was a few years ago, while insurance giant Allianz predicts that global cyber insurance premiums will grow to $20bn by 2025, from around $3-4bn at the moment.

“While cyber risk insurance should be put in place to help mitigate the potential fallout of a data security breach, a policy must no be seen as a get out of jail free card,” said Grunwitz. “Cyber insurance must be complementary to an effective risk-based information security strategy, not a replacement for it. You wouldnt expect your house insurance provider to pay out if you were burgled when the doors and windows were left unlocked.”