Jon Ratcliffe of broking house, RIB Insurance and Marcus Breese of Arch Insurance, Cyber Class underwriter, discuss client concerns in the area of Cybercrime and Cyber insurance

Jon - Why does an SME need Cyber Insurance if they also invest in IT Security?

Marcus - That is a great question. We know that no amount of investment can completely protect a company from a failure in IT security that results in some form of hack or ransomware event.  The IT security budgets of banks, airlines and cloud providers run into multiple millions and yet, there are examples, almost daily, of companies in those sectors falling victim to cyber attacks.  If it can happen to them, it can happen to any business, and it does.

Also, most events that lead to cyber insurance claims are caused by human error rather than digital attack.  A 2018 study of UK data breaches submitted to the Information Commissioners Office puts the number as high as 88%. 

Whether it's a straightforward accident like emailing data to the wrong recipient or something more sophisticated like falling victim to social engineering scam, humans are the weakest link in the chain.

Jon - At RIB, we use a third party service provider to host our software, why would we need Cyber Insurance?

Marcus - There is no doubt that using a third party like a cloud provider to host software typically improves cyber security.  That said, as we discussed, humans rather than machines are the weakest link in the cyber security chain.  Attackers know this and they exploit that weakness through social engineering.

Jon - What is social engineering?

Marcus - It's the practice of gathering information on people, using it to gain their confidence and then tricking them into revealing security credentials or making fraudulent payments.

Jon  -  And employees fall for this?

Marcus - All the time and in increasing numbers. It's actually the most successful way of circumventing digital security controls.

It might sound like you'd have to be a fool to divulge security information but the reality is the attackers are incredibly skilled.  They also use the really detailed information people post about themselves on social media. 

Think of it like this, a brief search of LinkedIn can reveal who, within an organisation, works in the finance department and in what roles.  A Facebook search will probably reveal a wealth of information about those individuals.  Names, friends, colleagues, prior colleagues, children's names, birthdays, holiday destinations and dates, the detail can be endless.  A well crafted email or series of emails that appear to come from a trusted source and which play back some of this "personal" information allow users to be duped into revealing security credentials or making fraudulent payments.

Jon - And that is covered by insurance?  What about the fraudulent payment?

Marcus - Absolutely.  Scenarios like this can be insured under cyber policies.  The frequency and cost of these scams is increasing all the time.

Jon - So how would you summarise the benefits of a cyber insurance policy for an SME?

Marcus - For me it is a question of "when" rather than "if" a company is going to have some form of cyber event and when they happen they are messy and very distracting to deal with.  They can require highly skilled professionals with very specific skills sets to resolve them. 

As an SME, trying to engage these professionals in an emergency situation would be really difficult and very expensive.  Cyber insurance provides rapid, coordinated access to those emergency services for a fraction of the amount it would cost to engage them independently.  Premiums vary but start from less than the cost of an average car insurance policy.

For more information on cyber insurance contact Jon Ratcliffe of RIB Group Ltd