A study by Pen Underwriting has found a mismatch between how well protected businesses in the UK and Ireland believe they are against cyber threats and the measures they have in place to manage those risks.
Pen surveyed 300 business insurance decision-makers across the UK and Ireland. While 90% of respondents said they were protected against cyberattacks, and 81% were confident they could recover quickly, only 47% had standalone cyber cover. Among firms with annual turnover below £1 million, just 18% had such insurance.
Despite this, 39% of all respondents said they had been targeted by cyber criminals in the past five years. Of those, 81% said the attack posed a serious threat to their business, while 74% experienced operational disruption and financial loss.
Cyber incidents were reported more frequently than other insured events such as fire (10%), flood (7%) and theft (35%). Four in five cyber targets had experienced multiple incidents, according to the survey results.
Pen also found that risk management measures were inconsistently applied. While 51% conducted staff training and regular data back-ups, only 49% used multi-factor authentication (MFA) for remote access, and 46% applied it to email accounts. Vulnerability scanning was also reported by 46%, the company said.
Meanwhile, firms that had experienced cyberattacks cited the main consequences as financial loss, data breach, lost productivity, operational disruption and reputational damage. More than a quarter said the impact lasted over a week, yet 80% of all firms surveyed said they could not afford to be offline that long. Among them, 41% said even a single day of disruption would be commercially challenging.
Smaller firms reported the lowest levels of protection. According to the survey, half of those with turnover under £1 million had no cyber cover, and many lacked basic controls. Only 31% conducted back-ups, 32% trained staff, and 29% used MFA for remote access.
Despite this, 84% felt their business was protected, and 72% were confident they could recover quickly. Of those who had experienced an incident, 44% said disruption lasted a week or more.
While the UK cyber insurance market has expanded, uptake remains limited among small and mid-sized businesses. Barriers include lack of awareness, concerns over complexity, and assumptions that existing policies offer sufficient protection.
Ian Summerfield, head of cyber at Pen, said the research showed firms were overestimating their cyber resilience and underestimating the potential impact of an attack.
“The frequency of cyber-attacks and subsequent loss and disruption is significantly higher than the occurrence of other perils that firms look to insure against as standard,” he said.
He added that cyber insurance not only covers financial losses but also provides risk management and breach response services that can reduce the time a business spends offline and help restore operations more quickly.
