Christian Toon: Mitigate risk with cyber insurance
A recent disclosure to Companies House highlights the value that UK businesses can derive from taking out cyber insurance cover, writes Christian Toon.
The Law Gazette reported how the company behind conveyancing firm Simplify was able to recover from its insurance provider the majority of costs the company attributed to a cyber incident in 2021. The Law Gazette’s report followed its analysis of annual accounts filed by UKLS Acquisitions Limited for the year ending 31 March 2022.
The accounts reveal exceptional costs of almost £7.3 million arising primarily from a cyber-attack on Simplify in November 2021, that the company was able to make a successful claim to its insurers in relation to the incident, and that the amount it recovered in relation to the incident was nearly £6.8m.
The Law Gazette’s report comes at a time when there is growing scrutiny of the cyber insurance market and against a background of a sharp rise in cyber incidents in Scotland.
In 2021-22 Police Scotland recorded an estimated 14,280 cybercrimes, similar to the previous year’s 14,860 figure, but a huge increase compared to just 7,710 cybercrimes recorded in 2019-20.
A major Scottish car dealer recently revealed that a Christmas cyber-attack may have resulted in the theft of personal data of some customers, while the charity Scottish Association of Mental Health was the victim of a “devastating” and sophisticated cyber-attack by cyber-criminal gang RansomEXX, which resulted in personal data being dumped on the dark web.
In November 2022, NHS Scotland suffered a major security breach which impacted up to 5.5 million patients across Scotland and which blocked access to patient’s records for months.
A report by cybersecurity firm Sophos, revealed that ransomware payments have nearly doubled in the past year, with UK companies paying more than the global average. The report found that ransomware payments rose to $1.5 million, up from $812,000 the previous year, however, the average payment by UK organisations was $2.1 million.
The Federation of European Risk Management Associations told the Financial Times that it is concerned that cyber insurance may become “an unviable product for many organisations”. The body is seeking “a more collaborative approach to cyber balancing the risk appetite of the insurance market with the coverage requirements of the corporate buyers”.
Businesses need to understand whether the policies on offer cover the specific risks they face, as well as the risks associated with taking out such policies, such as gaps in coverage and its cost. However, the Simplify example highlights how it can be a worthwhile investment for some businesses.
Cyber insurance can be a valuable tool for protecting your business or personal assets from a variety of cyber-related risks, such as data breaches, malware, and cyber extortion, but the decision of whether or not to purchase cyber insurance depends on a number of factors, including the size and nature of your organisation, the type of data you handle, and your overall risk management strategy.
If you are concerned about the potential risks associated with cyber-attacks and data breaches, it may be worth considering cyber insurance to help protect business and your stakeholders.
Christian Toon is head of cyber professional services at Pinsent Masons