Summary: The Federation of Small Businesses (FSB)'s Report on cyber-attacks in SMEs highlights important issues for insurers.

The Federation of Small Businesses (FSB) has issued a report outlining the impact of cyber-attacks on SMEs (Cyber Resilience: How to Protect Small Firms in the Digital Economy, June 2016).

The FSB Report indicates that smaller firms in the UK are collectively attacked seven million times per year at an estimated cost to the UK economy of over £5 billion. The FSB is calling for more support to be given by the Government and  larger businesses to SMEs to help them deal with these issues.    

This is an important issue for Insurers for the following two main reasons:

  • Our experience matches that in the FSB Report where hackers are increasingly targeting smaller organisations who form part of the supply chain to larger organisations. This is partly because larger organisations have become better at dealing with these issues. The main vulnerability lies in the supply chain having access to the larger organisations’ systems or receiving and processing their data;
  • The vulnerability for Insurers also lies in larger organisations now routinely requiring their supply chains to confirm that they are Cyber secure (when in reality they might not be) and increasingly mandating that this be backed by insurance. When something goes wrong the liability flows to the Insurer.

Some larger organisations are taking a more pragmatic approach in helping their supply chains to be more secure (this is a trend in sectors like financial services, for example), but the FSB would like to see more of this practical support offered to members.

At the same time, Insurers have a role to play in offering help when something goes wrong. It is sobering to see that the FSB Report indicates that only 4% of small businesses have a written plan for what to do if they are attacked. Most organisations will at some be penetrated by a cyber-attack. It is how they respond to it that is often key to minimising the impact and hence the losses they incur. It is perhaps unrealistic for small businesses to have internal “crash teams” ready to respond to incidents. So, Insurers may have a role to play in offering those services to affected businesses when something goes wrong.