The recent wave of cyber attacks targeting UK retailers¹ highlights the growing reality of cyber risk in today’s hyper-connected world. Every business, regardless of size, sector or location, is now on the front line, facing increasingly sophisticated and persistent threats from hackers.
Despite this our recent Risk & Resilience report showed that 83% of global leaders feel prepared to deal with the evolving cyber threat, up from 75% in 2024². It is this potential misjudgement in the level of preparedness that is driving insufficient investment into cyber security and leading to underinsurance and gaps in cover. While large organisations may have the financial resilience to absorb losses relating to an incident, underinsurance can be catastrophic for small and medium-sized businesses.
As retailers across the world are learning the potential cost, perhaps the real challenge comes not in the immediate aftermath of a cyber attack but when shareholders demand answers to:
In this environment, executives need to be proactive in ensuring that they have the capabilities, insurance and resilience to manage throughout the potentially long lifecycle of a cyber attack. Which could move from mobilising an effective disaster response on Day 1 to working through the legal minefield of shareholder and regulatory scrutiny that could see them in court on Day 600+.
End to end solution
To protect themselves, businesses of all sizes need end to end risk management support and insurance coverage. This encompasses, pre-emptive, ‘always on’ cyber security services that consistently scan and protect them from new and emerging threats, reactive incident response expertise that ensures they can get back up and running quickly and adaptive post attack support to ensure the business makes the right recovery and learns the lessons. All of this needs to be backed up by meaningful insurance cover so that a business is fully protected for the worst impacts of a cyber attack.
Crucially company boards must be able to demonstrate not only that they handled the impact of the attack well, but that they had invested time, money and process in preparing their firm ahead of any attack. This will stand them in good stead if they become subject to a long drawn out legal or regulatory process that puts their decision making in the spotlight.
Company boards need to increasingly treat cybersecurity as a core governance issue, not just an IT concern. That means not just investing in cybersecurity defence, but ensuring cyber security is high up the boardroom agenda and that they have purchased insurance cover that meets the needs of an ever expanding era of cyber threats.
Head of London Market Wholesale Executive Risks | Specialty Risks