New insurance products launched to protect businesses from suffering the losses caused by cyber attacks have apparently been met with great scepticism. A KPMG survey of senior information security professionals, whose organisations are members of KPMG’s International Information Integrity Institute (I-4), finds that the most common reason for not purchasing a cyber insurance policy is the belief that insurers would not actually pay out on a claim.
Distrust around insurers honouring their contracts is seemingly leaving businesses vulnerable to the effects of cyber crime. No less than 74% of those information security professionals surveyed by KPMG state that their businesses have no cyber insurance in place, even though 79% feel that cyber security threats are likely to increase over the next twelve months. Elaborating on that last point, three quarters (74%) of respondents perceive organised crime and state-sponsored activity to pose the biggest threat.
For those whose businesses have already purchased some form of cyber insurance, 48% of them think that the policies may not pay out if and when required to do so.
Commenting on the survey results, Mark Waghorne (head of KPMG’s International Information Integrity Institute) stated: “It’s worrying to see that so many businesses would rather risk having no insurance in place to protect themselves against a threat that they believe to be very real indeed. It’s also disappointing to note that cyber insurance is viewed as providing little comfort to those who have it, as almost half of the respondents to our survey don’t believe they would be compensated properly if push came to shove.”
Waghorne continued: “Of the information security professionals we spoke to, 30% of them believe the market for cyber insurance doesn’t yet appear to be sufficiently mature. It would appear, then, that insurers will need to deliver more comprehensive packages in order to convince the business community they can and will protect against losses incurred as a result of cyber criminality.”
He added: “Discussions conducted during a later debate at the most recent I-4 Forum showed that the availability of specialist and focused cyber-related insurance has much improved during the past year, with clear evidence that carriers do pay out. This would indicate that those organisations which have avoided cyber insurance in the past should perhaps now revisit their position on the matter.”
Training and development are “overlooked” in cyber security
In tandem, Serena Gonsalves-Fersch (KPMG’s UK Cyber Academy Lead) has commented on the need for businesses to “stop getting worked up” about cyber security fears and start working towards getting the basics right.
“Training and awareness is one of the most overlooked areas of information security,” explained Gonsalves-Fersch. “Businesses often find that security incidents are not caused by a failure in technology, but rather because employees don’t fully understand the role that they must play in protecting their company’s assets.”
Gonsalves-Fersch went on to state: “All-too-often we see that company leaders race to implement new technologies in order to ring-fence a particular area. Effective cyber risk management is based on an enterprise-wide approach that includes people, process and technology. To create a strong competitive advantage, this culture needs to start inside the Boardroom. When employees are armed with the right guidance and empowered to act, it’s true to say that they transform from being a risk to becoming the first line of defence.”
Bespoke cyber security service for SMEs
Further, KPMG Enterprise has just launched a cyber security service tailored to the needs and resources of smaller and mid-tier businesses. The streamlined package of cyber controls has been developed by the professional services firm in response to the increased targeting of smaller businesses by today’s cyber criminals due to their relative lack of cyber defence and resulting vulnerability.
The ‘Accelerated Security’ service is designed to help SMEs and mid-tier companies protect themselves from cyber attack by dint of a series of cyber pre-packaged defence controls that don’t require significant IT resources to implement. It can be put in place in weeks and is available at a fixed price.
The package also enables organisations to achieve certifications such as the Government’s ‘Cyber Essentials’ scheme.
Martin Tyley, KPMG Enterprise cyber partner, told Risk UK: “It’s increasingly important that smaller businesses, which have not historically considered themselves to be a target for cyber crime, now begin to develop resilient cyber defences. We’re seeing attackers focus on businesses with lower levels of cyber maturity as the large corporates, the more traditional targets, continually enhance their levels of protection.”
Tyley added: “In fact, any organisation that holds valuable data is a target for hackers. This truism can be hard to stomach for those business which have previously remained below the radar. Such a realisation can leave some companies struggling to achieve their aspirations without feeling exposed to cyber security risk.”
KPMG is also warning smaller and mid-tier businesses that it’s not just the impact a cyber breach can have on their operations, customer relationships and reputation that should be on their radar.
“The Government is increasingly considering failure to protect customer data to be a public interest breach,” urged Tyley. “The Information Commissioner’s Office is fining organisations up to £500,000 for breaching the Data Protection Act. Suffering a customer data loss can trigger a full-scale ICO investigation, in turn risking a financial penalty that can really hurt a smaller business.”
*Further information on KPMG’s cyber services may be accessed at: www.kpmg.co.uk/cyber