The ransomware cyber attack on the NHS and other organisations across the world on Friday last week has been described as perhaps the worst cyber incident in history by some cyber experts certainly in terms of the number of organisations affected.

The profile of targets like the NHS and the sheer scale of the incident has attracted global media coverage and has put a spotlight on the growing threat of global cyber criminality against large organisations. However the reality is that SME’s are just as likely targets for cyber criminals, as they are often woefully unprepared and lack the security, resource or expertise to deal with the consequences of such an attack. The difference is that cyber-attacks on SMEs go largely unreported. Indeed a number of our own SME clients have fallen victim to cyber-attacks over the last 12 months.

To help you understand the cyber risks that your business faces we have put together some key points:


  • 60% of small businesses suffered a cyber security breach in 2014
  • 52% of businesses think they have cyber cover, in reality less than 10% actually do
  • 23% of people open phishing emails
  • 11% of people open attachments in those emails
  • The cost of fixing a data breach of 1000 records is between £33 – £35 per record
  • 40% of people download work files to personal devices
  • 50% of people take confidential information when leaving a company
  • In 60% of cases attackers are able to compromise an organisation in minutes


1. Data

2. System Interruption

3. Money


System Interruption by Malware

Software which is specifically designed to disrupt, damage or gain unauthorised access to a computer system.


Malicious software designed to block access to a computer system until a sum of money is paid.


Where criminals send emails purporting to be from reputable companies in order to induce individuals to reveal personal information such as passwords and credit card numbers.

Distributed Denial of Service (DDOS) attacks 

This type of attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.

Cyber extortion

This is an attack coupled with a demand for money to avert or stop the attack.

Rogue employees

Where a disgruntled employee maliciously targets their employer. For example a sacked employee who hasn’t yet had access rights removed, posts sensitive information on social media putting the employer in breach of privacy legislation and liable to pay costs including notification, damages, expenses and credit monitoring.

Negligent employees

Undeliberate or careless acts carried out by employees which lead to a data breach. For example an employee leaves a laptop on a train which isn’t password protected and which contains sensitive client information. The information is accessed by criminals who use the information to obtain fraudulent loans. The victims or “data subjects” then sue the employer for financial loss.


The risks can be broken down into two main areas:

Third Party Losses

These are losses suffered by third parties who might make a claim against your business resulting from an attack or breach of their data which you hold. An example of this might be an individual whose personal data is stolen from your company and fraudulently used to obtain loans or credit. Another example might be legal action and fines from regulatory bodies such as the ICO (Information Commissioners Office) for allowing a data breach to occur.

First Party Losses

This is the direct financial loss suffered by your business following a breach or attack. For example the additional costs needed to restore your systems, or the lost revenue for any downtime resulting from an attack.


Cover for this “emerging risk” is not automatically included within standard insurance policies which are designed for events such as fire, flood, road collisions and general liability despite the fact that in 2017 a business is more likely to suffer a cyber-attack than a fire or burglary.

Most businesses now rely in some way on computer software or systems to operate, handling everything from customer databases to fully automated manufacturing processes. This dependence on technology as a fundamental cornerstone of operations leaves businesses more exposed to cyber risks than ever and for this reason, as part of a wider cyber risk management strategy, a specialist cyber liability policy is highly recommended.


A good cyber policy should include some or all of the following features:

First Response 

This pays for a team of IT specialists to immediately respond to a threat as it happens or immediately afterwards.

Cyber Liability

This covers your business against claims from third parties or data subjects following a data breach.

Business Interruption

This covers the lost revenue which results from the interruption to the business after a breach or attack.

Data Breach Notification Costs

This covers the costs involved in notifying relevant data subjects or authorities e.g. Information Commissioners Office

Information and Communication Asset Rectification

This covers the costs associated with recovering systems and data

Public Relations

This covers the cost of hiring a PR agency to deal with the adverse publicity generated from a breach.

IT Forensics

This covers the cost of IT forensics to establish the severity and identify the cause of a breach, so that control can be regained and the business can be protected in future.

Credit Monitoring

This covers the cost of monitoring the credit worthiness of your data subjects for a period after a data breach, to ensure that their identities are not being used for fraudulent gains.

Telephone Hacking

This covers the cost of the telephone systems being hacked and calls dialled out to premium rate phone numbers

Computer Crime

This covers the direct financial loss suffered following an IT system breach e.g. your banking system is breached and is money transferred out of the business.


General Data Protection Regulation (GDPR) is due to come into force in May 2018 which brings with it hefty fines for non-compliance and more onerous obligations than ever before in relation to data breaches.

For example, organisations are required to notify a data breach to the ICO “without undue delay, and where feasible, not later than 72 hours” unless the breach is “unlikely to result in a risk to the rights and freedoms of natural persons”

Champion Insurance Group work with a number of specialist cyber insurers who offer bespoke cyber cover including valuable ancillary support services to get your business back on its feet after a cyber-attack. These policies can be tailored to suit your business’s needs.

If you want to learn more about how to protect your business against the threat of cyber-crime, please contact us on 03330 430 430 or