Almost 30% of small and midsize businesses (SMBs) cancelled their cyber insurance policies in 2021 due to cost cutting.
The price of cyber insurance is likely to still be too high for UK SMBs, according to a survey from GlobalData released on Friday. 38% of these businesses think it is unlikely they will be targeted in a cyber attack while 29% cancelled their policies in 2021.
The data and analytics company carried out the survey between August and September last year, where it explored SMB behaviours, purchasing preferences, and attitudes across commercial insurance products. Every company included in the survey had fewer than 250 employees, with 2,001 businesses surveyed in 2021.
GlobalData noted that as risk of attack increases, so will the premiums. It said that given that cutting costs is one of the leading causes of policy cancellation, this will be a significant obstacle.
The firm added that the Ukraine-Russia war has only heightened potential cyber security risks. It pointed to the UK’s National Cyber Security Centre (NCSC) advising all organisations in the country to bolster their cyber security in March 2022, specifically due to the increased risk from the war.
“Even if UK SMBs do become more concerned about their business being targeted by cybercriminals, they are unlikely to be willing to pay even higher premiums to protect themselves,” said Ben Carey-Evans, senior insurance analyst at GlobalData. “It is a difficult product for insurers to price, as unlike other products, they cannot look to limit risk—any SMB could be hit with a cyber attack at any time, and the costs can be significant.”
This is the biggest challenge for NCSC as SMBs are more vulnerable as they don’t take cyber hygiene seriously, said Muttukrishnan Rajarajan, professor of Security Engineering and director of the Institute for Cyber Security at City University of London. This, in turn, makes them the most vulnerable targets for a cyber attack.
Rajarajan has been teaching cyber security essentials for CEOs and CTOs as part of a programme at the university. He found that most of the individuals from the companies he taught didn’t take cyber security seriously and didn’t know about cyber insurance.
“Interestingly, a few came back to me after a few months of my lessons and said they have been attacked and need help! So I have seen first-hand the impact of these SMBs without any cyber security protection,” he explained.
Security awareness training strategies for account takeover protection
Why you need an inside-the-perimeter strategy for internal threats
A good cyber insurance policy should offer training to employees that specifically targets areas of risk within a business, said Steve Arlin, VP of the Americas, UK and APAC at ProLion.
“It can cover loss in income from a data breach and it can cover the cost of investigation work following a GDPR breach as well. While the cost of cyber insurance has certainly risen in recent years to keep pace with developments in cybercrime, it is definitely worthwhile.”
“This is a disturbing statistic as it illustrates that arguably businesses – faced with rising costs – are looking at saving money where they think it won’t matter,” he added. “This is short sighted in the extreme.”
Small businesses were warned in December 2021 to prepare for a potential surge in ransomware attacks in 2022 as cyber criminals turn to campaigns that are less likely to draw coordinated action from law enforcement. A report found that cyber criminals were adapting to increased pressure from police agencies that launched several successful operations to dismantle criminal networks.
