Fewer than one in three UK businesses (29 per cent) have dedicated cyber security insurance in place, leaving many liable to pay huge costs in the event of a breach. And only a third of UK companies said that their company insurance policy also covers security breaches and the financial impact of data loss, despite the fact that 81 per cent agree that it is ‘vital’ their organisation is insured against information security breaches. The report by NTT Security also found that UK businesses would have to spend on average £1 million to recover from a breach.
The report gathered opinions and data from 1,800 global senior decision makers from non-IT functions. It also stated that the number of insurers now offering cyber insurance via Lloyd's of London has doubled in recent years to more than 70 and that insurance company Allianz predicts that global cyber insurance premiums will grow to $20bn by 2025, up from around $3-4bn currently.
Companies in the UK are less likely to have cybersecurity insurance compared to businesses in the US and Singapore, although firms in Benelux, Germany and the Nordic countries also have a low rate of cyber insurance.
Financial impact of data breach
The report also highlighted the financial impact of a security breach, with the survey's respondents saying they are concerned about direct loss of revenue as well as financial penalties from regulators and loss of share value. The respondents said they would expect a revenue drop of 10.29 per cent on average. They also predicted an average of 57 days recovery time if targeted by a data breach and the cost of recovery is estimated at $1.52 million. And 41 per cent of the global respondents said the company has already suffered a data security breach.
The report also found that:
- a third of the global executives said that their company would prefer to pay a hacker's ransom fee rather than invest in IT security and insurance;
- half of respondents in UK organisations believe that the failure to maintain or apply updates to existing IT systems would or could invalidate their company insurance;
- 37 per cent point to lack of compliance with industry regulations, including the General Data Protection Regulation (GDPR), which mandates that customers are notified within 72 hours of a breach;
- 63 per cent of respondents in the UK say they have an incident response plan in place;
- 18 per cent are in the process of implementing one;
- 38 per cent agree that lack of an incident response plan could or would also invalidate their company insurance.
NTT Security’s Kai Grunwitz comments: “While cyber risk insurance should be put in place to help mitigate the potential fallout of a data security breach, a policy must not be seen as a ‘get out of jail free' card. Cyber insurance must be complementary to an effective risk-based information security strategy, not a replacement for it. You wouldn't expect your house insurance provider to pay out if you were burgled when the doors and windows are left unlocked. So don't expect a payout – or indeed an insurance policy – if you haven't put in place the right processes and policies.”
100 days of GDPR: complaints double and firms slow to comply
The regulation came in last May but a third of companies may not yet comply while consumer complaints have rocketed
Why Hong Kong is the ultimate gateway for scaling into the APAC region
Is this also true for corporate treasury department and shared service centres?
Payments: ecommerce, instants, interchange, Ripple, e-invoicing
All e-commerce payment systems, Kroger bans Visa cards, irrevocability in real-time payments, Ripple expansion and merits, e-invoicing