Two-Thirds of UK Companies Do Not Have Insurance for Data Breaches

A recent report from NTT Security has revealed 66% of UK senior executives believe their company is not fully prepared for a security breach and could not cope with the financial impact of data loss. Even so, 81% of respondents to the NTT Security survey agreed that it is important to have an insurance policy that will pay out in the event of a data breach.

To produce the report, NTT Security surveyed 1,800 senior executive officers with non-IT positions and asked them about business risks and the importance of information security. The survey revealed UK firms need to pay an average of £1 million to recover from a substantial data breach.

The UK compares poorly to other countries when it comes to data breach insurance cover for security breaches and data loss. On average 53% of companies have an insurance policy covering data breaches and data loss. In the UK, only 29% of companies have such an insurance policy. That figure places the UK just ahead of Benelux countries (27%) and Nordic countries (23% in Sweden and 28% in Norway). The U.K. is joint second bottom with Germany for having dedicated cyber insurance, just above Benelux countries on 27%.

11% of respondents from the UK said they only have coverage for data loss and 6% said their policy only covers security breaches. 45% of respondents were unaware whether their insurance covered either data loss or security breaches. Globally, 23% of respondents were unaware about the coverage of their insurance.

The report also showed that the number of insurance firms that offer cyber insurance via Lloyd’s of London has grown to more than 70 during 2018, which is double the number of companies that offered cyber insurance a few years ago.

According to Kai Grunwitz, the senior vice-president for EMEA at NTT Security, estimated annual losses from cyber crime has now reached $400bn (£291bn). The number of policies being taken out has certainly grown, but it is clear that many senior decision makers are not on top of cyber insurance.

Kai Grunwitz also said that while it is now important to take out cyber risk insurance, it should not be viewed as a “get out of jail free card.” It is essential to have an effective risk-based information security strategy. Cyber security insurance should not be viewed as an alternative to having such a strategy.