A new study by cyber security experts NTT Security has shown that 66% UK senior executives believe their company does not have adequate security cover to deal with a security breach the financial implications of data loss. This is despite the fact that 81% agree that their organisation should have an insurance policy that is there to help should a serious security breach take place.
The NTT report reviewed the attitudes of 1,800 global senior decision makers from non-IT functions in relation to the dangers to business and the value of information security. It showed that UK businesses would have to invest on average £1 million to recover from a major data breach.
When compared to other studies from around the globe, the UK compares poorly with other markets including the United States and Singapore (53%) when it comes to insuring against data breaches and data loss, However UK firms do perform better than Benelux (27%) and the Nordics (23% in Sweden and 28% in Norway). The UK also ranks second the bottom for having the use of cyber-specific insurance, just above Benelux (27%).
11% of those questioned in the UK are covered for data loss and just 6% agreed that their company insurance covers only information security violations. However, there is some concern due to the fact that 45% of those surveyed are aware if their company insurance includes either. The report also showed that the amount of insurers providing cyber insurance via Lloyd’s of London has increased to more than 70 during 2018, almost twice what it was a few years ago.
Kai Grunwitz, senior vice-president for Europe at NTT Security, commented: “With estimated annual losses from cyber crime now topping $400bn (£291bn), according to the Center for Strategic and International Studies, you would hope more organisations would be beating a path to insurers’ doors. But while the insurance sector is certainly seeing growth in the number of policies being taken out to cover such losses, it’s an issue that many senior decision-makers are not on top of.”
Grunwitz finished by saying: “While cyber risk insurance should be put in place to help mitigate the potential fallout of a data security breach, a policy must not be seen as a ‘get out of jail free’ card. Cyber insurance must be complementary to an effective risk-based information security strategy, not a replacement for it. You wouldn’t expect your house insurance provider to pay out if you were burgled when the doors and windows are left unlocked. So don’t expect a payout – or indeed an insurance policy – if you haven’t put in place the right processes and policies.”