Four experts voice their opinions on what the industry can do to help protect SMEs from the effects of a cyber attack

David Flandro

DavidFlandro_RGB

head of global analytics,

JLT Re

“GDPR will help companies become better protected, particularly those that perhaps in the past were not doing anything particularly sophisticated with regards to cyber.

“Now they will have to do it to comply with GDPR. But what it won’t do is mitigate the sophistication of the perpetrators of cyber attacks.

“Part of the answer to creating a bigger market for SMEs is awareness. People are more aware of the threat and becoming more concerned about the risks. They are starting to realise that it can affect them.

“The other thing that can help, particularly in the SME market, is that cyber can be offered alongside traditional business insurance covers. As long as it’s broken out and quantified explicitly in the wordings, the risk can be covered and ‘silent cyber’ isn’t an issue.

“Until a few years ago, most SMEs were not seeking out ‘cyber cover’

per se. Interest has risen and word-of-mouth is increasing. Underwriters can say ‘your competitors are buying it’. This, in turn, further increases awareness and ultimately demand. It won’t be a uniform effect, but it is happening organically.

“If you’re an SME and you’re trying to protect yourself you should just do it tomorrow, because it’s a huge risk and it can be devastating for a small company if you have a cyber attack and you’re not covered.”

 

Graham.Whyatt

Graham Whyatt

group head of affinity and SME, James Hallam

“GDPR has made people more aware of what they need to do better to improve their systems. There’s no question about that. I’d be very surprised if brokers are not already engaged and talking to customers about cyber and the risks they need to be aware of. Ahead of GDPR coming into force we were sending out information and putting on seminars to make clients more aware of it and how it affects them.

“In the post-GDPR environment there are more cyber insurance policies and there will be more notifications. So hand-in-hand there are going to be more claims and this will certainly heighten the awareness of SME customers to the threat. And it’s our job as brokers to talk about these claims and how they have affected companies.

“We have a large book of tour and travel agent clients and most are members of ABTA, which suffered its own public data loss last year. So we are using that experience to talk to those clients about what their exposures might be and we’ve put together a cyber crime management liability product, which covers everything they should need from a cyber perspective.

“Ultimately, it’s about getting into the SME mindset that it could happen to them. It’s a threat that is only going to get worse because cyber attackers will always find new ways of compromising organisations. And for this reason I believe cyber will become part and parcel of most insurance purchases by SMEs.”

 

Adrian Scott

Adrian Scott sized for article

global head of cyber,

Pen Underwriting

“Lack of a plan for dealing with cyber breaches related to personal data is where GDPR can become a problem for small businesses. Under GDPR, firms need to notify the Information Commissioners’ Office within 72 hours of a breach, and tell anyone who is potentially affected, while identifying and rectifying the source and extent of the breach.

“Taken together, the fines (and small businesses are not immune from large fines for failing to secure digital data), penalties and time lost to fulfilling the requirements of GDPR after a cyber breach can be an expensive process. Many SMEs do not have the time or resources to investigate and report a breach, leaving them open to reputational and financial harm.

“A cyber policy can cover the bases for your client, leaving their problem in the hands of knowledgeable specialists in PR, IT and legal who deal with these issues every day. As well as getting their business back up and running, it is important to emphasise that cyber insurance gives small businesses access to specialist knowledge that can help them avert a PR crisis and a significant fine.

“There is a huge opportunity for brokers and insurers to highlight these additional services that are offered in addition to risk transfer to help drive take-up of cyber insurance. Services such as a 24-hour hotline response will allow firms to keep trading with minimal financial and brand damage.”

 

goring

Jasper Goring

cyber reinsurance broker,

Capsicum Re

“GDPR came into force on 25 May, but studies from several security firms suggest that only a small percentage of SMEs are adequately prepared to comply. This makes the broker’s role crucial in advising clients on the new risks and providing effective, relevant solutions to mitigate and transfer these risks.

“Under GDPR, firms must notify the regulator in the event of a breach of sensitive personal data within 72 hours of a breach occuring. It is therefore important that small businesses have incident response plans in place to meet these requirements, or they risk fines and further investigation.

“Not only do brokers need to advise their clients on this changing risk, it is also imperative that they recommend cyber products that offer robust vendor panels, to guide SMEs when a breach occurs. SME clients need to be educated about the services, such as legal support and IT forensics, available under their policy, as these are potentially their biggest benefit.

“However, GDPR legislation also governs the collection and use of personal data. Companies could come under regulatory investigation without ever having disclosed customers’ personally identifiable information.

“Not all cyber policies have addressed the change in regulatory exposure affirmatively so brokers must be sure that the wording in a given cyber policy meets the needs and expectations of each client.”