Cyber expert Craig Watson from RSA Insurance shares his thoughts with smeweb.com.
Craig, how prepared are SMEs in the UK when it comes to facing the challenges of cyber security?
Cyber threats are one of the most common risks facing SMEs, a trend that is only likely to grow in the future. While SME decision-makers may believe they are below the threat radar, government figures show that a quarter of all businesses detected one or more cyber security breaches in the last 12 months. The fact that 28% of SMEs in the UK say they would go out of business if faced with an unexpected bill of £50,000 highlights the danger. A cyber attack could easily cost more than that as the average cost of a breach to small businesses is between £75,000 and £310,000.
Nine out of ten large organisations and 75% of SMEs experienced some form of IT attack in 2015. The PwC survey revealed that 73% of businesses identified new risks their company were facing that were not present when they started. Despite this, 82% had not altered or increased their insurance coverage as a result of technological change. While more traditional risks still hold a fundamental threat to businesses of all sizes, newer and less transparent risks are growing quicker than businesses are protecting themselves against them.
What cyber related issues are likely to impact a business?
One of the issues remains that cyber as a word is often used to describe a myriad of risks. What does it mean? What problems does it encapsulate? These are typical of the issues we’ve witnessed:
• Virus or hacking attacks which stop customer transactions
• Corruption or damage of data
• Ransomware or similar extortion via their IT platforms or website
• Loss of customer, supplier or critical process data
• Consequent liability to a third party, including associated litigation, fines, costs, awards and damages
• Subsequent damage to reputation as a result of the attack
• Loss of gross profit or gross revenue
Aligned to these problems are the number of experts your typical SME would need to engage with to manage the problem – legal support; IT forensics; specialist IT ransom or extortion specialists; PR to help manage the message; and external providers who can write out to all your data subjects who have been impacted by any breach. And this list is not exhaustible.
You’ve done a lot of research at RSA recently. What have you discovered?
Insurance is a key resource businesses can use to help manage their own risk. However, SME decision-makers often don’t realise the need to take out additional cover for the major risks they face. Too many businesses – 43% – have not reviewed their business insurance for over a year, which suggests they are not putting sufficient time into understanding what they can do to protect their future. Underinsurance is considered a concern among SMEs, according to almost nine out of 10 brokers, and the importance for brokers to work with SMEs on regular reviews is clear.
We’ve seen businesses evolve seamlessly into using IT as part of their operational ‘DNA’. But the insurance programmes most customers buy will not extend to cover the vast majority of IT or cyber issues. With the EU General Data Protection Regulation to be enacted in May 2018 it is vital that every business understands the importance that a bespoke cyber risks policy can play as part of a robust risk transfer programme.
What can happen to a company without sufficient cyber security insurance?
Around 40% of SMEs in the South West would go out of business if faced with an uninsured £50,000 claim, versus a national average of 28%. This was the highest figure reported, while SMEs based in London would be the least likely to go out of business (20%).
What should an SME do today to make sure it has the best protection against cyber threats?
1. SMEs must ensure they review their insurance annually
2. Speak to a broker as part of their review to discuss any emerging risks that they should be aware of
3. Strongly consider the impact of technological risk to their business, notably cyber cover. Many SMEs will have no cover so it’s vital they speak to their broker to ensure they clearly understand the risks posed and the insurance cover that is available