Regular readers of this ‘blog may recall that almost exactly a year ago I wrote an article about the publication of a Government report detailing the extent to which cyber attacks have become a feature of daily business.
The joint study by the Department for Science, Innovation Technology and the Home Office revealed that half of businesses and almost one-third of charities had acknowledged “some form of cyber security breach” in the previous 12 months.
The period since has demonstrated how cyber criminals at home and abroad have not exactly remained idle.
Among the most notable incidents was a ransomware attack in June on a blood testing company, Synnovis, which works with the National Health Service (NHS), involving vast amounts of patient data being released on the internet.
It subsequently emerged that it led to more than 11,000 appointments being postponed and even prompted in a five-day strike among 500 Synnovis’ employees.
According to the latest figures from the Information Commissioner’s Office (ICO), the incident was one of 12,193 during 2024 – an increase of just over 10 per cent on the year before.
Only weeks after Synnovis was hit, the King’s speech to parliament announced that the Government was to introduce a Cyber Security and Resilience Bill to “strengthen the UK’s cyber defences“.
Officials explained that the measure was necessary to update the only piece of domestic legislation spanning both the public and private sector – the Security of Network & Information Systems Regulations, which came into effect in 2018.
Naturally, organisations have been keen to discover what exactly is planned and now we have an idea.
In a policy statement issued earlier this week, the Secretary of State for Science, Innovation, and Technology, Peter Kyle, described how the cyber threat faced by the UK had “grown more intense, frequent, and sophisticated“.
The Cyber Security Bill, he continued, would ensure that “firms providing essential IT services to public services and the wider economy are no longer an easy target for cyber criminals”.
It is clear that the country’s business community should not, however, expect Westminster to carry the entire burden for reinforcing the digital infrastructure.
Even from the outline provided in recent days, it is clear that regulators will be put “on a stronger footing” to guarantee that business honours whatever current and new obligations it has.
Certainly, myself and my colleagues at Broadway are aware that companies are more aware of what they can do to ward off the substantial risk posed by cyber crime.
Every single conversation which we have with current or prospective clients makes mention of cyber cover.
That is not just a case of us pushing the importance of specialist cover but firms wanting to make sure that their arrangements are robust enough to withstand the practical, financial and reputational impacts of a cyber attack.
The insurance landscape has changed impressively in this regard in the last few years. Not so long ago, companies had to clear ever more stringent procedures to find cover and, if they were successful, they were frequently quoted eye-watering premiums to renew.
Now, both policyholders and policy providers are more familiar with the new realities. It has resulted in more insurers offering cover and – given greater competition – price reductions.
In my experience, about 80 per cent of businesses, both large and small, to which we speak about cyber insurance do put policies in place.
For bigger firms, the potential peril entailed in not doing so is almost too great to overlook.
That risk is absolutely not abstract. Within the last year, we have been asked to advise several companies which each lost roughly £1 million following attacks.
I should perhaps point out that the data and cash dangers which confront companies are not just the kind of “sophisticated” criminals cited by the UK Government.
The ICO’s figures show that more than half of all data breaches in 2024 were “non-cyber” and not due to ransomware, malware, “denial of service” or phishing incidents.
Of those, more than 5,000 involved human error or mischief, such as making verbal disclosures, sending data to the wrong person or gaining unauthorised access to information.
Whilst the vast majority of all those incidents resulted in informal action, there is still the risk of considerable financial sanctions from the ICO to compound whatever direct consequences stem from the activity of cyber criminals or employees.
In addition to not knowing the fine detail of the Government’s cyber Bill, we cannot be sure when it will take effect.
Ministers have only suggested that the measures are “expected to be introduced later this year”.
If we allow for the time which legislation, even with cross-party support, can take to navigate the parliamentary processes needed to make it to the Statute Book, it may be some months at least before there is a new law.
With that in mind, it can literally pay to take action now rather than waiting and worrying about whether a business will also fall prey to the cyber gangs.
That may not mean taking out specific policies in every case. May last year saw the publication of guidance to which BIBA, the body representing Britain’s insurance brokers, had contributed.
Furthermore, the NCSC’s latest annual review highlighted how businesses using relatively straightforward safety procedures were far less likely to have to make a cyber attack claim.
Cyber defences can – and, in fact, should be – as particular as the organisations or private individuals adopting them.
What is important is that, when weighed against the context of a growing threat, informed decisions are taken about which tools to employ.
No-one can afford to wait until they have become a victim.