How well do you really understand cyber risk? We are Cyber Essentials accredited. Cyber Essentials is a governmentbacked, industry supported scheme to help organisations protect themselves against common cyber attacks.
Are you under-prepared and under-protected? We ve all heard the many high profile stories about well-known brands and their customers falling victim to cyber security breaches in 2015 16. It s all too easy to tell ourselves that such threats are only the concern of large, national or multi-national firms. In fact, research in 2016 showed that 74 per cent of small UK businesses suffered a security breach in 2015 up 14 per cent from 2014. The average cost of the worst breach a small business will experience is 75k 311k. The British Insurance Brokers Association describes an alarming degree of underinsurance. So why are so many small-medium sized enterprises (SMEs) inadequately protected? The following are statements we often hear: It won t happen to us we re too small. We ve got some cyber cover within our commercial insurance policy it ll probably do. It s too difficult I wouldn t know where to begin. It s too expensive. Our IT department have it under control.
You don t have to be big to be at risk It s a common misconception that small businesses don t hold commercially sensitive data. A survey showed that the vast majority of SMEs dramatically underestimate the value of their information, yet 95 per cent hold data in their systems, with 45 per cent holding intellectual property data. From customer and supplier email addresses and financial records, to intellectual property, data has a value and therefore makes you a potential target. New General Data Protection Regulations (GDPR) come into effect in 2018 and will see an increase in maximum fines for breaching data protection requirements. Do you really know exactly what you re covered for? Most commercial policies now include an element of cyber insurance. But it can be quite difficult to get to grips with exactly what you re covered for. You might not necessarily be aware of all of the ways in which you are vulnerable (or up to speed with cyberrelated jargon). And, because there is little commonality between one insurance policy and another, it can be hugely difficult to compare like for like. 74% of small businesses suffered a security breach in 2015 an increase of 14% on the previous year. 1 75k 311k is the average cost to a small business of its worst security breach of the year. 1 over 23,000 records are now exposed every time a UK business suffers a data breach. 1 78% of SME businesses across the UK have not considered protecting themselves against cyber threats. 1
approx 73% of businesses identify new risks that their company faces that were not present when they started 2......but 82% have not altered or increased their insurance coverage as a result of technological change. 2 83% of consumers are concerned about which businesses have access to their data 3, and......58% say a breach would discourage them from using a business. 3 The problem with cyber risk is that, by its very nature, it is constantly evolving The ways in which businesses manage data and utilise technology in their day-to-day operations are becoming ever more diverse and enterprising creating new risks to manage. Cyber criminals are clever and their strategies and their tactics constantly evolving. How do you manage risk effectively when new risks seem to present themselves so frequently that you can t possibly recognise them all? No business will ever be 100 per cent protected from cyber threat not even those with the most extensive and sophisticated of defence and response measures in place. But that s not a reason to do nothing. Cyber risk is not an IT issue it s a business issue Cyber risk isn t a technical problem, it s a business risk issue. Traditional preventative measures like firewalls and antivirus software are no longer enough. To successfully manage cyber risk requires senior management to understand its significance and make it a priority engaging and involving people across all areas of the business to take responsibility. Risk management has to be an ongoing process. Your risk management programme needs to be regularly reviewed to ensure it reflects your changing needs.
Insurance alone is not enough Not all risks can be insured for example, fines, upgrade costs, and honouring contractual obligations, not to mention potential reputational damage and loss of customers. Nor does every risk necessarily need to be insured. As a rule, prevention is better than cure. Insurance should be seen as just one part of the risk management equation. An effective strategy requires an understanding of the specific risks to which you re exposed, and an appropriate combination of measures to manage them for example: Transfer Which risks should, and can be, insured within your budget? Avoid Which activities present so great a risk that you should avoid them altogether? Accept Which risks do you just have to accept, and budget for? Reduce What measures can you take to mitigate the risk?
28% of SMEs in the UK say they would go out of business if faced with an unexpected bill of 50k. 3 89% of small businesses that experienced a breach said it had a negative impact on their reputation. 3 94% of procurement managers say that cyber security standards are important when awarding a project to an SME supplier. 3 The need for objective advice Unfortunately, it s generally SMEs, without the financial and technical resources of the bigger players, that are most likely to go out of business following a cyber attack. Often, the inability to deliver their services to their customers, inadvertently exposing their customers and other stakeholders to risk, and the resultant damage to their reputation is too difficult to recover from. Improving the effectiveness of your cyber risk management needn t be incredibly difficult, or expensive, and will pay dividends. Independent, objective advice can be invaluable. The Insurance Act 2015 requires that businesses make a fair presentation of their risks to insurers, and this would include cyber information. A good insurance broker will help you do this, and help ensure that insurers are kept informed as your business and your insurance needs change. They ll also help you with security and other measures to give you peace of mind that you re not unduly exposed and that, in the event you need to make a claim, you can demonstrate good practice. 68% of businesses say the most common types of breaches were from viruses, spyware or malware. 4
Our cyber risk management services As an independently owned insurance broker, we are well placed to offer impartial, objective advice and help you put together a robust risk management programme. Our services include: assessment of your risks and review of the adequacy of your current risk management measures; objective advice and guidance, recommendation of simple, practical measures and the creation of a risk management programme combining insurance and other risk management measures; access to specialist diagnostics services, through our trusted specialist partners; business continuity planning; access to specialist crisis and media management services through our trusted specialist partners; insurance placement cyber liability insurance, business interruption insurance and insurance for all other key business risks; and claims management and disaster recovery.
Talk to us For more information about how we can help you assess and manage the cyber risks your business is exposed to, please get in touch. Speak to your usual Lucas Fettes contact, call us on 0330 660 0401 or email us at cyberrisk@lucasfettes.co.uk www.lucasfettes.co.uk We are Cyber Essentials accredited. Cyber Essentials is a governmentbacked, industry supported scheme to help organisations protect themselves against common cyber attacks. 1 2015 Information Security Breaches Survey, HM Government 2 Future impacts: The changing nature of risk facing small businesses in the UK, RSA, November 2016 3 Small business reputation and the cyber risk, Cyber Streetwise and KPMG, 2015 4 Cyber Security Breaches Survey 2016 - Report Lucas Fettes & Partners Limited are independent insurance intermediaries, authorised and regulated by the Financial Conduct Authority. 18/17 GM043