A new report by cyber security company NTT Security has revealed that 66% UK senior executives admit their company does not have adequate security cover to deal with a security breach the financial impact of data loss. This is regardless of the fact that 81% agree that it is their organisation should have an insurance policy that is prepared to help in the event of serious security breaches.
The NTT report examined the attitudes of 1,800 global senior decision makers from non-IT functions to dangers to the business and the value of information security. It showed that UK businesses would have to spend on average £1 million to recover from a significant data breach.
When compared to similar studies from the rest of the world, the UK compares poorly with other markets including the United States and Singapore (53%) when it comes to insuring against data breaches and data loss, However UK firms do perform better than Benelux (27%) and the Nordics (23% in Sweden and 28% in Norway). The UK also ranks second the bottom for having the use of cyber-specific insurance, just above Benelux (27%).
11% of UK respondents are covered for data loss and just 6% agreed that their company insurance covers only information security breaches. However, there is some concern due to the fact that 45% of those questioned are aware if their company insurance includes either of these. The report also revealed that the amount of insurers providing cyber insurance via Lloyd’s of London has grown to more than 70 during 2018, almost double what it was a few years ago.
Kai Grunwitz, senior vice-president for Europe at NTT Security, said: “With estimated annual losses from cyber crime now topping $400bn (£291bn), according to the Center for Strategic and International Studies, you would hope more organisations would be beating a path to insurers’ doors. But while the insurance sector is certainly seeing growth in the number of policies being taken out to cover such losses, it’s an issue that many senior decision-makers are not on top of.”
Grunwitz concluded saying: “While cyber risk insurance should be put in place to help mitigate the potential fallout of a data security breach, a policy must not be seen as a ‘get out of jail free’ card. Cyber insurance must be complementary to an effective risk-based information security strategy, not a replacement for it. You wouldn’t expect your house insurance provider to pay out if you were burgled when the doors and windows are left unlocked. So don’t expect a payout – or indeed an insurance policy – if you haven’t put in place the right processes and policies.”