The broker trade body and cyber underwriter CFC have teamed up to improve the cyber landscape amid reports of low penetration of cover

A “big issue” among small and medium-sized enterprises (SMEs) is the uptake of cyber insurance, so - in addition to calling on the UK government to improve cyber security measures - the insurance industry must also “increase the awareness, penetration and understanding” of cyber cover for clients, according to Graeme Trudgill, executive director of broker trade body Biba.

Speaking exclusively to Insurance Times alongside Trudgill, CFC Underwriting’s cyber development leader, Lindsey Nelson, explained that cyber criminals are increasingly focusing on SMEs because intangible assets are often this cohort’s “largest exposure”.

Demonstrating this, 86% of the cyber claims submitted to CFC Underwriting in 2022 were from businesses with less than £50m annual turnover, Nelson added.

Figures from the UK government concur that there is a protection gap when it comes to SMEs and cyber insurance.

The Department for Digital, Culture, Media and Sport’s (DCMS) Cyber security breaches survey 2022, published last July, found that only 5% of UK businesses have a standalone cyber insurance policy.

In addition, just 38% of the businesses polled had cyber security cover included as part of a wider insurance policy.

DCMS’ research surveyed 1,243 UK businesses in total, including 696 micro firms, 264 small companies, 149 medium-sized organisations, 134 large businesses and 424 charities.

Nelson explained this cyber cover gap has been catalysed by a lack of knowledge as “many” SMEs believe they are “too small to be a target”. This viewpoint has further been “exasperated by the cost of living crisis and [clients] deterring an additional insurance spend”.

Trudgill added that many “SMEs might think they are immune” from cyber attacks, despite this being a “very real risk everyone’s exposed to”.

He believes these firms are instead prioritising traditional insurance policies - like property and liability - but are not giving cyber “full consideration”.

Developing risks

Adding to cyber cover penetration concerns is the fact that the cyber threat landscape is changing – although ransomware continues to dominate headlines due to its expense.

However, Nelson reported that CFC Underwriting has seen an 11% increase in cyber attacks targeting the basic theft of funds across businesses of all sizes - these ”make up over a quarter of our cyber claims by frequency”, she added.

Basic theft of funds – also known as social engineering – is often driven by human error and even though these types of claims are not financially comparable to ransomware demands, “[thefts] are still quite significant for small businesses and they happen quite regularly throughout the policy term”, Nelson emphasised.

This ”is why coverage can really matter in terms of unlimited reinstatements”.

Nelson added that cyber criminals now know how to bypass multifactor authentication (MFA) too - however, insurers are still observing a direct correlation between firms not having MFA in place and cyber claims happening as a result.

She continued: ”[Compared to cyber insurance], security controls don’t prevent human error-related incidents [that have] nothing to do with unauthorised access into systems by a malicious third party.

“It could be simply accidental disclosure by an employee or it could be a disgruntled employee who has authorised access to sensitive information who might use that against the company during particularly challenging times.”

Intervention

To improve the cyber landscape for UK businesses, Trudgill said “the government has a responsibility” around cyber security and it should be “doing all [it] can to improve cyber protection in the UK”.

One way the UK government can do this, suggested Trudgill, is to give an insurance premium tax (IPT) waiver for cyber insurance as an incentive to “encourage greater take up, particularly in these difficult economic times”.

According to Biba’s 2023 manifesto - entitled Managing risk - Delivering sustainability and published in January 2023 - IPT is a “tax on the price of the insurance product and is an indirect tax on consumers and businesses that is collected by insurers and paid to His Majesty’s Revenue and Customs – but ultimately, the customer is required to pay it in their premiums”.

IPT rates have been “frozen for the last five years or so”, said Trudgill.

“I don’t think the government would be losing a great deal of IPT earnings [through following Biba’s recommendation] because [cyber insurance has] only got that small take up rate,” he continued.

”You’ve got to speculate to accumulate, so let’s try and give it a break and see if we can all push that together – industry and government – and then hopefully we can increase the levels of protection across the UK.” 

CFC Underwriting and Biba want to help the insurance industry and its commercial clients get to grips with cyber cover and cyber security.

In the lead up to Biba’s manifesto launch, the organisations published A guide to cyber insurance – Helping businesses prevent and survive cyber attacks on 7 December 2022 - this document aims to communicate the evolution of cyber insurance.

Nelson highlighted that cyber insurance has become a “service driven solution” that “helps to combat cyber crime rather than simply respond to it financially”.

As part of its cyber coverage, for example, CFC Underwriting developed its Response app, which launched in March 2017 – this must be downloaded by clients as it’s “the most critical part of their policy”, said Nelson.

The firm currently provides over 60,000 standalone cyber policies globally, but only around a third of these clients have accessed the app due to a lack of awareness.

Nelson continued: “That’s really the mechanism not only for them to have a security team at their fingerprints, [but to also] alert the client more quickly to any vulnerabilities or compromises that our team are able to spot on their behalf in real-time.

“All of that is going to be really important for brokers to know and be quite invested in because, for them, it provides market sustainability.

”Reducing cyber attacks for businesses means it’s great value for [brokers’ customers]. It [means] sustainable loss ratios, it means product coverage stays broad [and] it’s streamlined underwriting, so we can increasingly reduce the need for long application and proposal forms. It [also] enhances everybody’s cyber expertise in terms of what the product does.”

CFC Underwriting’s threat analysis team delivered over 300 personalised notifications every month in 2022 where a potential threat or compromise was identified – this helped to prevent financial losses.