Out-Law / Your Daily Need-To-Know

UK security breach study should prompt retailers to consider cyber insurance, expert says

Out-Law News | 23 Apr 2013 | 4:53 pm | 2 min. read

Small and medium-sized online retailers can benefit from a "network of experts" at "discounted rates" by taking out cyber liability or data breach insurance policies, an expert has said.

Research commissioned by the Government has revealed that 87% of all UK SMEs and 93% of firms with more than 250 staff had experienced at least one security breach in 2012.

The 2013 Information Security Breaches Survey report, (22-page / 640KB PDF) published by the Department for Business, Innovation and Skills, also outlined a growing trend in the average number of security breaches UK firms are experiencing. In addition, the report said that the "average cost of respondents’ worst breach of the year has never been higher", with large firms' average worst security breach costing the firm between £450,000 and £850,000, and SME's on average £35,000-to-£65,000. In some cases individual security breaches cost firms more than £1 million, it said.

Insurance data risks and cyber liability specialist Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said that the figures should prompt firms to consider whether to take out insurance policies "to mitigate the risk they would be exposed to in the event of a cyber attack".

"The report has revealed that just 51% of small businesses in the UK have formal incident response plans in place to follow in the event of a security breach, albeit the figure is up from 40% the previous year," Birdsey said. "This compares to 94% of large organisations, and indicates that smaller companies, such as those involved in online retail, may be ill-prepared in the increasingly likely event that they are the victims of a cyber security breach."

"When companies experience a data breach incident and engage experts to assist, they are making a distressed purchase and the cost of engaging outside providers to help rises significantly," the expert added. "The cost of engaging forensic IT experts, credit monitoring service providers or others on a reactive basis could be prohibitive. Smaller firms may also not necessarily have the skills or the experience to know who to engage and what competitive rates are for such services. Companies, especially those who do not have an incident response plan, can benefit from obtaining access to a network of experts at discounted rates by taking out cyber liability or data breach insurance that leading insurers provide."

According to the 2013 Information Security Breaches Survey report, businesses in the retail sector on average spend just 3.8% of their IT budgets on security – the lowest percentage of all the listed sectors in the report. At the other end of the scale, Government bodies and telecoms firms spend 12.6% of their IT budget on security on average, it said.

"This year’s survey clearly demonstrates the damage being done to UK companies in cyberspace," David Willetts, the Minister for Universities and Science, has said. "Understanding the risks is critical in addressing the challenge of how to manage them. Proactive management of risks represents a competitive advantage; effective cyber security is good for business."