That’s about the odds that a business has if they get hacked. An estimated 34% of SMEs who suffer a successful ransomware attack in the UK have to close their doors. Telemedia explains that this is the second highest figure in the world, behind the UAE’s post-incident closure rate, and just ahead of the US.

Clients will often ask if they really need cyber insurance. After all, plenty of SMEs don’t have it, and lots of them seem to be getting along just fine. But once glance at the odds of survival should give them the answer to that little question.

Still, let’s break it down. There are several reasons why cyber insurance in the UK is critically important, but the first is quite elementary: Many SMEs simply don’t know the value of their data.

When an SME can answer this question, it means that they’ve actually done an assessment of their data’s value, and how critical it is for continued operations. So it’s a great place to start.

Every business needs to decide if they can cover the value of their own data in case of loss, AKA ‘self insurance’, or if they need an outside insurer to cover the hit.

To put it in more technical terms, self insuring means that the company’s business continuity and disaster recovery (BC / DR) plans can fully absorb the cost and effort of making a complete recovery from a ransomware attack. So a reserve needs to be kept at all times, or a solid investor agreement needs to be in place to cover such contingencies.

But here’s the reality of the situation: The above scenario is quite rare. BC / DR plans are expensive to execute, and setting aside enough funds to self insure simply isn’t part of most business plans. As PWC points out:

‘Organisations that self-insure must also ensure they have access to key specialist services where needed, such as incident response, forensics, legal, communications, crisis support and negotiators.’

UK SMEs rarely have the kind of war chest needed to casually pay out seven figure ransoms or fund several weeks of system restoration operations. The alternative to this is to buy cyber insurance.

Our old friends at the National Cyber Security Centre (NCSC) have a helpful guide for assessing an SME’s need for cyber insurance in the UK. Some of the highlights include:

Assess the policy: It’s important for an SME to pick the policy that actually covers their risks, and it’s equally important for brokers to insist on a thorough underwriting process. Both parties need to examine the current state of the company’s cybersecurity, agree on potential gaps in their defences, suggest fixes for those issues, and choose coverage that meets their budget and needs.

Insist on security standards: Whether they cover immediate security gaps or not, certain practices need to be undertaken by the SME in order to future-proof their operations and establish best practices. Among these standards are multifactor authentication, proper data disposal and physical security, backup policies, and corporation wide anti-phishing training. In fact, a lot of these are underwriting prerequisites… if they aren’t met, cyber insurance policies might not even be offered to the client.

Consider post incident support: Depending what the SMEs technical staff is good at, they may or may not be able to handle the cleanup and security hardening process after a hacking incident is over. Some policies will help cover this, others will not. The expense of hiring contractors to manage the disaster recovery process of a post-malware incident can be scary.

Consider reputational damage: Likewise, part of the aftermath of any security breach is the possibility of losing the trust of people who interact with the business, also known as reputational damage. That might be public reputation if customer data was leaked, or vendor reputation if their information or private correspondences were leaked. Some policies cover this, others do not. Reputational damage can be fatal to an SME. If key vendors will no longer work with them or if their customer base loses all faith in them, how can they continue to function?

Finally, the client should be actively listening to their insurance broker, and the broker in turn should be actively listening to their insurance retailers. That’s the best way to ensure that the clients get the right coverage.

Not all cyber insurance in the UK is created equal. It’s important for brokers to consider the differences when recommending a policy to their client.

For example, some policies will cover physical damage as a result of a cyber attack, and others will not. How could physical damage happen? Imagine a hard drive overwriting itself thousands of times at high speed. Or imagine CPUs being overclocked to the max and run at full tilt for days before anyone notices. That’s how chips get fried. Software manipulation can have serious hardware consequences, ranging from destroyed RAID arrays to triggered fire suppression measures. Whether or not a policy covers that kind of damage is in the fine print.

Another thing to look out for is the coverage jurisdiction for any overseas assets. Just because the insurance is purchased in the UK, that doesn’t mean everything that a UK based company owns is automatically covered. Assets in the EU are generally within the scope of these policies, but servers hosted in the US might not be. Servers hosted in South Asia might be excluded by some policies. So it’s worth checking to see if the client has hardware or software hosted overseas, in order to make sure that the right coverage is selected.

Legal action brought by related entities is often not covered by cyber insurance. ‘Related’ can be people who work for the company, contract for the company, or who are subsidiaries or parent corporations. For example, if employees of the SME sue the business for leaking their personal information (which might include details about their passport, bank account, address, contact info, and various accounts online), that might not be covered. So some amount of self insurance might need to be considered.

Finding a broker with multiple cyber insurance products is the first step towards success. If they claim to have a ‘one size fits all plan’, run away quickly.

Having a look at OSR’s cyber insurance plans, we can see that there are multiple packages to pick from. That’s because the difference between the smallest SMEs and the largest of them is night and day. It’s highly unlikely that a smaller firm can take care of the same scope of IT issues as a business that’s knocking on the door of large enterprise status.

If there are any questions about assessing a client’s key criteria and choosing the right cyber insurance plan, contact OSR for a consultation.