Cyber "myths" putting UK SMEs at risk
In recent years, cyber hacks on large corporates and even governments have become an almost daily occurrence. Despite this, a significant number of UK businesses are failing to adequately protect themselves from such attacks and face potentially significant losses as a result. According to new research from the government's "Cyber Streetwise" campaign, so-called SMEs (small and medium sized businesses) are particularly at risk due to a misperception that they are not likely to be targeted by cyber criminals. The research found that two thirds of SMEs do not consider themselves to be vulnerable to attack and just 16% are prioritising their cyber security in 2015. This is worrying in light of findings by the Department for Business, Innovation & Skills (BIS) in late 2014 that 60% of small businesses in the UK had suffered a malicious cyber breach in the previous year.
High profile hacks
From large retailers like Sony and Target to celebrities Rihanna and Jennifer Lawrence, over the last few years there have been numerous high profile cyber attacks. These have usefully highlighted the growing risk of cyber crime but have left many with the impression that cyber criminals only go after large, global corporates or high profile individuals. In reality, anyone who holds data is a potential target.
In 2014 Symantec estimated the chances of a large company being the subject of a so-called "Spear Phishing" attack as 1 in 2.3 (or 39%), with the chance of a small business being attacked as 1 in 5.2 (or 30%). These statistics show that cyber crime is just as much of a threat to SMEs as it is to global corporates like Sony. Importantly, whilst large companies may have the resources to monitor and better manage cyber security through technology, systems and controls, SMEs are unlikely to have those same resources, making them an easy target.
How can SMEs protect themselves?
According to BIS, the most common problems faced by SMEs come from "internal threats", staff exposing IT systems to malware by plugging in external devices, opening infected emails or using unsafe websites. Taking certain, seemingly obvious, steps can protect an SME from a cyber attack, for example: training staff; keeping software secure by installing updates; using anti-virus software; using complex passwords; and encrypting data. Even if SMEs adopt all of these best practices, however, the sophistication of cyber threats and the fact that cyber criminals continuously adapt and develop new ways to attack, means it is likely if not inevitable that these companies will suffer breaches.
Should SMEs have dedicated cyber insurance?
Many SMEs think that their traditional insurance covers will adequately protect them in the event of a cyber attack but in reality that is not the case:
- PI policies usually provide third party cover only and do not cover the costs of reputational damage, PR, customer care, regulatory investigations etc.
- Fidelity or "crime" policies typically require both a loss to the company and a corresponding gain to an identifiable individual, whereas it is usually impossible to identify the cyber criminal behind an attack.
- Fidelity policies also do not extend to a business's lost income or reputational damage.
In 2014 the New York Supreme Court held that Sony's insurers were not obliged to indemnify the company under its general commercial liability policies, whereas Target was said to recover approximately $90 million under its dedicated cyber liability policies. In our view, a similar decision would be likely in the English courts.
Taking out cyber cover – a health warning!
There are a number of things which policyholders should bear in mind when purchasing cyber cover.
1. Don't underestimate the true cost of an attack
Many businesses misjudge the amount of business interruption costs which they may suffer following an attack, particularly where the company has a significant online presence and may have to cease trading altogether while it investigates a breach.
2. Negotiate the retroactive date and extended reporting period
Cybersecurity firm Mandiant recently reported that the average number of days attackers were present on a victim's network before they were discovered was 229 days, over 7 months. In our experience, many new cyber policies offered by the London market are written on a claims-made basis with a retroactive date that is the same as the policy inception date. The result is that coverage is only available when both the hack and the resulting loss occur during the policy period, and policyholders will not be covered when:
- Their network is breached weeks or months before the policy has incepted but the loss only arises after policy inception; or
- Their network is breached during the policy period but the resulting loss only arises after the policy has expired.
We see no reason why, when insurers have carefully assessed a company's cyber risk profile (including sometimes using an independent IT consultant), the retroactive date should not be 1 year, preferably two years, before the inception date.
Similarly, in our view insurers should be willing to offer an extended reporting period, which extends the period of coverage beyond the policy's expiry date thereby providing cover for losses which occur after expiration as a result of a breach during the policy period.
Cyber crime has become an unfortunate inevitability for many UK businesses. Despite increased awareness and improvements in technology, there is only so much a business can do to protect itself through infrastructure alone. SMEs are particularly vulnerable as they may not have the resources to prevent an attack or the financial stability to withstand one. Insurance is an important way for these businesses to protect themselves, although policy wordings need to be reviewed carefully to ensure that cover is sufficient and the policy properly responds in the policyholder's hour of need.