EXPERT VIEW
CYBER SECURITY
NO
HIDING
PLACE!
SME catches up with cyber expert Craig Watson from RSA Insurance
Craig, how prepared are SMEs in the UK
when it comes to facing the challenges of
cyber security?
Cyber threats are one of the most common
risks facing SMEs, a trend that is only likely
to grow in the future. While SME decision-
makers may believe they are below the
threat radar, government figures show that
a quarter of all businesses detected one or
more cyber security breaches in the last 12
months. The fact that 28% of SMEs in the
UK say they would go out of business if
faced with an unexpected bill of £50,000
highlights the danger. A cyber attack could
easily cost more than that as the average
cost of a breach to small businesses is
between £75,000 and £310,000.
Nine out of ten large organisations and
75% of SMEs experienced some form of IT
attack in 2015. The PwC survey revealed
that 73% of businesses identified new risks
their company were facing that were not
present when they started. Despite this, 82%
had not altered or increased their insurance
coverage as a result of technological change.
While more traditional risks still hold a
fundamental threat to businesses of all sizes,
newer and less transparent risks are growing
quicker than businesses are protecting
themselves against them.
What cyber related issues are likely to
impact a business?
One of the issues remains that cyber as a
word is often used to describe a myriad of
risks. What does it mean? What problems
does it encapsulate? These are typical of the
issues we’ve witnessed:
• Virus or hacking attacks which stop
customer transactions;
• Corruption or damage of data;
• Ransomware or similar extortion via their
IT platforms or website;
• Loss of customer, supplier or critical
process data;
• Consequent liability to a third party,
including associated litigation, fines, costs,
awards and damages;
• Subsequent damage to reputation as a
result of the attack;
• Loss of gross profit or gross revenue.
Aligned to these problems are the number
of experts your typical SME would need to
engage with to manage the problem – legal
support; IT forensics; specialist IT ransom or
extortion specialists; PR to help manage the
message; and external providers who can
write out to all your data subjects who have
been impacted by any breach. And this list is
not exhaustible.
You’ve done a lot of research at RSA
recently. What have you discovered?
Insurance is a key resource businesses can
use to help manage their own risk. However,
SME decision-makers often don’t realise the
need to take out additional cover for the major
risks they face. Too many businesses – 43% –
have not reviewed their business insurance
for over a year, which suggests they are not
putting sufficient time into understanding
what they can do to protect their future.
Underinsurance is considered a concern
among SMEs, according to almost nine out of
10 brokers, and the importance for brokers to
work with SMEs on regular reviews is clear.
We’ve seen businesses evolve seamlessly
into using IT as part of their operational
‘DNA’. But the insurance programmes most
customers buy will not extend to cover the
vast majority of IT or cyber issues. With the
EU General Data Protection Regulation to
be enacted in May 2018 it is vital that every
business understands the importance that a
bespoke cyber risks policy can play as part of
a robust risk transfer programme.
What can happen to a company without
sufficient cyber security insurance?
Around 40% of SMEs in the South West
would go out of business if faced with an
uninsured £50,000 claim, versus a national
average of 28%. This was the highest figure
reported, while SMEs based in London would
be the least likely to go out of business (20%).
What should an SME do today to make
sure it has the best protection against
cyber threats?
1. SMEs must ensure they review their
insurance annually.
2. Speak to a broker as part of their review to
discuss any emerging risks that they should
be aware of. Broker advice is free for SMEs
and BIBA prov ides a useful directory to help
them find a suitable broker here:
www.biba.org.uk/find-insurance/
3. Strongly consider the impact of
technological risk to their business, notably
cyber cover. Many SMEs will have no cover so
it’s vital they speak to their broker to ensure
they clearly understand the risks posed and
the insurance cover that is available.
rsagroup.com/what-we-do/
commercial-insurance
+44 (0) 1403 232 323
› Research sourced from a survey conducted September - October 2016 by Opinium on behalf of Cicero (and RSA) speaking to 1000 UK SME senior
decision makers. Insurance broker field work was conducted by Cicero, which interviewed 84 broker respondents.
www.smeweb.com
SME
13