Despite the increase, businesses risk being underinsured until insurers ‘take matters of cyber security seriously’, says cyber and tech head

UK ransomware attacks reported to the Information Commissioner’s Office have increased by 100% to 654 cases in 2021 – up from 326 in 2020, according to data analysis conducted by international law firm RPC.

Industry sectors including finance, insurance and credit were most frequently impacted by attacks last year (103), followed by education and childcare (80).

The rise, according to RPC, is likely driven by the increasing profitability of ransomware attacks, as a number of corporate firms have been forced to pay a ransom to have their data decrypted.

Ransomware is a form of malware that uses encryption to hold and block access to the victim’s information until a sum of money is paid.

Commercial insurance provider CNA Hardy, for example, allegedly paid out $40m (circa £28m) to its ransomware attackers last year (May 2021). 

Some larger gangs have also cashed in on licensing their ransomware to other criminals, while others will scour the internet for vulnerabilities to then sell the access to other scammers who may execute the attack and exfiltrate data instead.

Partner and head of RPC’s cyber and tech insurance team Richard Breavington said, however, that “it is becoming increasingly rare for cyber to be covered by other types of insurance policies”. Therefore, “businesses that are not taking dedicated cyber policies run the risk of becoming underinsured”.

Minimising BI

He continued: “Ransomware attacks have been on the rise and it’s a problem that isn’t going away any time soon.

“However, there are options for businesses that want to avoid being caught in an insurance gap.

“One is investing in the latest IT security software.

“Not only will this reduce the chances of succumbing to an attack, but it will also signal to insurers that they take matters of cyber security seriously and hopefully make it easier for them to get coverage.”

Breavington added that corporates should also ensure that their systems are backed up regularly via a segregated method, which could “help minimise business interruption in the event of an attack”.