SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
Story image
Why cyber insurance is important for heavily regulated SMEs
Mon, 27th Feb 2023

Cyber attacks are an inevitability. This is the reality modern businesses operate in, and it's essential they act accordingly. Thus far, much of the advice dished out to organisations - SMEs and large corporations alike - has been focused on preventative measures. This is both understandable and sensible, too many businesses fail to put basic cybersecurity measures in place and suffer the consequences. However, it has become clear in the last few years that no matter the sophistication of an organisation's defences, cybercriminals could still find a way in. For businesses, SMEs in particular, operating in the most heavily regulated sectors - finance, telecoms, or energy, for example - regulatory fines, on top of the costs of containing a breach, has the potential to bring an organisation to its knees. To prevent this, organisations must turn to cyber insurance.

Regulatory fines

In recent years, the UK government has woken up to the importance of proper cybersecurity. This is perhaps best exemplified in the National Cyber Strategy 2022 and the UK Telecoms Security Proposal. It is not necessary for us to examine these documents in detail, but it is worth noting that they represent a change in the UK government's attitude towards cybersecurity. Pre-2022, the government generally employed an incentive and education based approach to cybersecurity - a whole lot of carrot but very little stick. Regulation played a relatively insignificant role. These two documents, however, outlined a new approach, one that focused more on regulation. Less carrot, more stick.

While stricter regulation has been generally welcomed by security experts, it presents a problem for SMEs, especially those in the most heavily regulated industries. Not least does implementing new security controls cost money, but the threat of financial penalties is a constant worry. Just last year, Instagram was fined €405,000,000 for a breach of GDPR regulations, a likely occurrence in the event of a data breach. It's essential that SMEs have processes - namely, cyber insurance - in place should the worst happen.

But not all cyber insurance offerings are created equal. It's imperative that SMEs ensure their offering covers both liability insurance (money owed to a third party, i.e. a regulatory body) and first-party insurance (personal business losses) to cover the cost of regulatory fines.

Business continuity

Almost all of the businesses subject to the most stringent regulations are such because they are classed as critical national infrastructure (CNI). Organisations are categorised as such because they are deemed essential to the day-to-day functioning of society and the economy. For businesses in the CNI sector, business continuity must be top of mind in the event of a cyberattack - not only for their own benefit but for the country at large.

Cyber insurance is an invaluable tool for ensuring business continuity in the event of a cyberattack. Many insurance providers will have cyber incident response (CIR) on retainer, ready at any moment to work on mitigating or even remediating the damages of an attack. Having such a team on standby, paid for by an insurance provider, has enormous benefits for businesses in the CNI sector - both in terms of business continuity and finances.

Not only would having a cyber insurance policy in place cover the cost of CIR teams, but it would also mean they would be deployed sooner in the event of a successful attack. Reacting to a cyber attack quickly is absolutely essential - the longer a cybercriminal is allowed to work inside an organisation's IT infrastructure, the more damage they can do. This could mean longer downtime and greater impacts on business continuity, as well as more stolen information and, ultimately, more significant financial consequences.

The problems

At this point, we would be remiss to ignore the challenges that the cyber insurance industry currently faces, as well as the concerns businesses or security experts have about taking out policies.

The foremost of these concerns is, perhaps unsurprisingly, cost. The soaring price of cyber insurance premiums is widely reported on and has understandably put many businesses - particularly SMEs - off the whole idea. However, there are steps organisations can take towards bringing the cost of cyber insurance down.

Many insurance providers offer discounts to organisations with Cyber Essentials or Cyber Essentials Plus accreditations. The Cyber Essentials accreditation scheme is a government-backed project that aims to ensure businesses implement basic "cyber hygiene" in order to prevent the vast majority of cyberattacks. The best Cyber Essentials providers will even run a security audit to ensure that businesses pass first time. It's also worth pointing out here that the soaring costs of cyber insurance premiums generally only applies to large, complex, multi-million-pound organisations, not SMEs. In fact, many cyber insurance providers offer coverage from less than £15 a month.

Another challenge the cyber insurance sector faces is one of ignorance. Some security experts have expressed concern that SMEs will see cyber insurance as a "set it and forget it" response to cyber threats. This is perhaps a legitimate concern. SMEs typically don't want to have to worry about their cybersecurity, but in reality, any reputable insurer would impress upon SMEs the importance of their role in ensuring their organisation's cybersecurity. Moreover, it's in the insurer's best interest to ensure SMEs recognise the importance of good cybersecurity, as it would lower the likelihood of them having to pay out.

In short, cyber insurance is an absolute essential for SMEs operating in heavily regulated industries. It helps minimise business disruption and provides financial protection during an incident, as well as aiding in any legal and regulatory actions after an incident.