Cyber crime is becoming an increasingly prevalent and costly risk, yet many businesses are woefully underprepared for an attack - a major business failing in this digital age.

Companies of all sizes today are dependent on IT to a greater or lesser extent. Large multinational corporations have the resources to plough considerable investment into ensuring that their IT security is robust and updated regularly to take account of any changes in the risk environment. However, even they can get it wrong, as demonstrated by recent data breaches occurring at Epsilon, Sony and Citigroup.

Middle-market companies, although lacking the resources to make a similar investment, may consider that their size makes them a less attractive target for hackers. XL senior underwriter, professional lines, Dawn Simmons says this is a fallacy. “Recent reports suggest that hackers are more likely to target smaller rather than larger companies because they consider it will be easier to hack into their systems.”

Simmons warns: “The combination of more sophisticated criminals and stricter data breach laws results in companies facing increasing financial and reputational exposures. The average cost of a data breach in Europe in 2010 was approximately £1.9m, and we expect that number to rise in the future.

“In the light of stricter laws being implemented throughout Europe, companies from all sectors need to protect themselves against the soaring costs associated with hacker attacks, lost data or human error.”

Specific policies

Traditional property and liability insurance policies do not give your company protection against specific risks such as data breaches and associated costs arising in today’s hi-tech business world. Crime policies also do not fill the gap, as they generally focus on loss of money and securities. But if your company suffers a data breach, it can expect to pay the often considerable costs associated with issuing mandatory data breach notifications to customers and authorities, as well as civil regulatory fines and penalties.

For this reason, some insurers have introduced specific cyber risk policies. In addition to fines, penalties and notification costs, these may also cover other expenses. For example, XL’s Eclipse policy also offers companies cover for IT forensics – the cost of hiring a specialist IT security firm to investigate how a data breach has happened and what to do to prevent a recurrence. It can also compensate for possible business interruption resulting from a breach, as well as the costs of public relations specialists to manage reputational fall-out.

“The reputational damage resulting from a data breach can be horrendous,” Simmons says. “The loss to the business can be as much as £5m [€5.74m] or even £10m.”


While a loss of this size may not have a negative impact on the balance sheets to large multinationals, the effect for smaller businesses may be devastating. “Reputation risk can ruin a smaller company,” Simmons warns.

Insurance is one of the tools that mid-sized companies can use to protect themselves. But you also need to consider your cyber risk management strategies. Having robust controls will make your business a more appealing risk for insurers, ensuring not only that you will be offered cover but also that you are quoted a competitive premium. Reports suggest that the most common causes of data breaches are website hackers and stolen hardware such as laptops, so these are the areas to focus on.

It isn’t only data breaches that cause problems. Erasure of data also remains an ongoing risk, whether accidentally or knowingly perpetrated – usually by disaffected employees.

Key risk management strategies here include backing up vital information and storing the back-up in a location outside of your premises in case of fire or other damage.

As far as malicious erasure is concerned, it is important to make sure that the passwords of any employees who leave are cancelled, so that they cannot access your system afterwards.

Leakage of conf dential information

One risk that some of the major multinationals are grappling with today is potential leakage of confidential or potentially reputation damaging information through employees ‘chatting’ on social networks.

According to research published in September by global risk consultancy Protiviti, around one in six (17%) of UK employees consider social networking such as Facebook and LinkedIn a major risk to corporate security – and even more (27%) feel that employers should provide clearer guidelines on using social media in the workplace.