UK firms are increasingly protecting themselves with cybersecurity risk insurance, but there’s a long way to go: Nearly a third of them have not taken out insurance yet.
According to findings from research firm Ovum, even among those that have insurance, only 28% said they have cybersecurity insurance that covers all risks.
The UK fares worse than the rest of the world: 31% of UK executives surveyed say their firm has no cybersecurity insurance, compared to 40% in other countries surveyed (US, Canada and the Nordics).
“The UK will soon be subject to General Data Protection Regulation (GDPR), which introduces higher fines in cases of data breach,” said Steve Hadaway, general manager for Europe, the Middle East and Africa at FICO, which sponsored the research. “Even if attacks don’t increase in volume, firms could end up paying more, which makes having comprehensive insurance more important. At the same time, companies have a right to expect that they will pay less if their protection is better. The onus is on the cybersecurity insurance industry to make sure insurance rates are fairly set for each individual firm, based on a sound analysis of its risk.”
Even though the majority of firms surveyed have cybersecurity insurance, most say that the risk assessment process insurers use needs improvement. Just 31% of respondents think their premiums reflect an accurate assessment of their risk. Nearly as many, 29%, said they don’t believe the assessment accurately reflects their risk, and 11% said they don’t know how their insurance is priced. A full 69% of respondents say insurers should do more to explain how they price risk.
Cyber-insurance covers many things. According to stats from CFC Underwriting, privacy breaches (31%) accounted for the largest number of claims last year, followed by financial loss (22%) and ransomware (16%). Malware accounted for only 7% of claims, followed by DDoS attacks (5%), “unauthorised access to systems” (5%), and business interruption (4%).