Could SMEs be easy targets?

Businesses of all sizes are vulnerable to cyber-attacks. As the world evolves, so do the risks that people and businesses will face.

Yet the attitude regarding cyber-attacks on business, and perhaps this is exacerbated by the fact that it’s the attack on big business, is publicised unlike attacks on small to medium businesses.

The reality of it all

However, the result of a cyber-attack on any business is that there is both financial and/or reputational damage.

According to a 2015 Information Security Breaches Survey - Department for Business Innovation & Skills, 74% of small businesses in the UK suffered a cyber-security breach in 2015 with the average cost of those breaches reaching £75 000-£311 000.

All businesses conduct transactions with the use of computers and mobile phones, which collect and store data, and a lot of data at that. Even if businesses have cyber security policies in place, the reality is that it is people that use these business tools and it is usually people that expose a business's IT system to malicious software, malware and allowing hackers to harvest a business's valuable and sensitive information.

General view on cyber insurance

The cyber defence challenges faced by small to medium businesses are:

  1. Constraints in cyber security staff (the skill required for cyber security staff is different having dedicated IT staff);
  2. Lack of training of staff on cyber risks and how to prevent cyber-attacks;
  3. Even becoming aware of a cyber-attack or a target of potential cyber-attack;
  4. Cost of cyber security; and
  5. Lack of knowledge on the value of procuring cyber risk insurance.

Even if small to medium businesses do invest time, resources and funds to as an attempt prevent or mitigate a cyber-attack they do not specifically seek cyber insurance. Insurance is in any event regarded as a grudge purchase and if the small to medium business already has general liability insurance they believe that this cover is sufficient to cover their risk. Cyber risk insurance is also generally viewed as a "big corporate" insurance policy.

Specialist risk cover

However, a general liability insurance policy may actually not cover the risk comprehensively or the cover is not adequate or appropriate for the type of business conducted by the small to medium business. A stand-alone policy could provide better and more extensive cover.

A specialist cyber risk insurance policy usually covers the following:

  • Loss of income and operating expenses due to network security breaches;
  • Coverage costs for failure to respond to a security of privacy breach (this can even include service providers such as specialists in public relations);
  • Third party claims due to the failure of the insured's security network or failure to prevent un-authorised access to personal information; and
  • Where insurable, regulatory fines and penalties.

Considerations when providing advice

In terms of the Protection of Personal Information Act, 2013, all organisations regardless of size have an obligation to protect personal information and to process it in a secure manner. Although absolute security is never possible, you reduce potential breach by responding adequately to the incident and managing the data breach. Having a cyber risk insurance policy is a good way of assisting to mitigating the risks from the detrimental effect of a cyber-attack on a business's reputation, financial loss and regulatory non-compliance.

Brokers need to ensure that their clients are made aware of this real risk on their business and that it is not a risk limited to big business. In fact, in most instances it is the small to medium businesses that are at a higher risk of a cyber risk as criminals view them as easy targets.

When providing advice, brokers need to consider whether a general liability insurance policy actually provides their client with adequate cover and, if not, then they need to advise their clients of their risks of not obtaining a stand-alone cyber risk insurance policy.

Download PDF Back To Listing