Learning about someone else’s misfortune produces a rather common but somewhat strange response.
No matter what degree of connection or lack of it we may have to the individual concerned, any compassion or sympathy is tempered with a sense of relief that we have not fallen victim to whatever bad luck, loss or criminality has befallen them.
There is something else too: many people express almost a confidence that a similar fate won’t impact them.
When it comes to risks and risk management, such a sentiment always seems like tempting providence.
No matter the circumstances, we simply cannot predict who will escape unscathed.
Take cyber security, the subject of a report published jointly this month by the Department for Science, Innovation Technology and the Home Office.
It included some startling findings, such as the fact that half of businesses and almost one-third of charities reported “some form of cyber security breach” in the previous 12 months.
Furthermore, just over 40 per cent of organisations suffering an attack became the victims of cybercrime.
This latest study comes soon after the Information Commissioner’s Office (ICO) issued its own data, which revealed that the volume of cyber-related incidents during the second half of last year was 61 per cent up on the same period in 2022 (https://ico.org.uk/action-weve-taken/data-security-incident-trends/).
Taking all that into account, it will perhaps be unsurprising to learn that cyber insurance is a facet of every single conversation which myself and my colleagues in Broadway’s Corporate team have with clients.
In the last few years, we have seen more businesses aware of the dangers.
That appreciation has coincided with what the insurance industry would describe as a ‘hard market’: policies harder to come by as well as more expensive to obtain because some providers withdrew cover altogether.
A factor in their thinking was the sort of high-profile and complicated hack which targeted IT consultancy CTS in November last year and “played havoc” with house sales across the country, according to the BBC.
Even though the insurance market has stabilised to a degree, the nature and cost of policies are still dependent on underwriters being able to make an informed decision about the risk that they’re being asked to cover.
It is one important reason of many why Broadway is entrusted with handling the cyber insurance requirements of a growing number and range of companies, from small start-ups to multi-national corporations.
At the heart of this work is discovery: teaching us as much as we can about a firm – its operations, attitude to risk, infrastructure and suppliers – in order to present insurers with as complete a picture of a prospective policyholder as possible.
Done well, it can do more than see companies securing exactly the cover they need (and, quite often, without being quoted eye-watering premiums into the bargain).
It can identify possible weak links in their respective corporate chains, highlight how best to put those right and further reduce the potential for difficulty.
In that regard, we believe it to be a very useful two-way street, helping us establish all the information which we need to gain clients the best cover and giving them an external perspective on the risks they face – and how to confront them.
That is crucial because insurance should only ever really be a ‘just in case’ provision. With cyber breaches – criminal or otherwise – there can be significant financial, reputational and regulatory consequences which endure long after the initial problem has been dealt with.
Cyber policies, for the uninitiated, might seem as bewildering as the process by which cover is arranged.
Simply put, they generally contain four key elements: data breach management (dealing, as the name suggests, with the immediate aftermath of an attack), business interruption, extortion (responding to a ransom request, if one indeed is made); and liability (handling any resultant financial claims made by clients or suppliers).
The business interruption feature can also include something known as ‘dependent business interruption’ cover, which protects an organisation if one of its suppliers or contractors is a cyber crime target instead.
It sounds complex but the job of a broker is to explain exactly what the sometimes opaque small print of policies means to the insured.
Those without guidance might be put off by the language used by insurers and expense, and choose to carry the risk – that is, not put any cover in place at all.
That is perhaps why this month’s Government report found that only 43 per cent of businesses and 34 per cent of charities had cyber cover.
Insurance, of course, is about determining the tolerance of a company or individual for risk and finding out whether they wish to transfer it to a policy provider.
Cover is certainly not a guarantee that you won’t be compromised.
However, as the latest official surveys show only too well, opting not to guard against the growing possibility of a cyber breach or crime means the threat remains without any defence.
In my opinion and that of hundreds of clients, it’s far better to make a full disclosure to obtain cover than have to make a full apology to clients, partners and regulators in addition to seeing your organisation’s future placed in jeopardy should the worst happen.