We know cyber incidents aren’t just a tech problem, they can disrupt operations, create financial and legal headaches, and take a real toll on your team’s wellbeing. To explore this further, Annick O’Brien, General Counsel at CybSafe, shares her thoughts on why preparing your people, having the right strategy, and leaning on cyber insurance are all key to staying resilient when the unexpected hits.
When faced with preparing for a potential cyber incident, the first step is often a mindset shift to not if, but when. We've all seen the headlines about massive data breaches and companies paralysed from an operational perspective due to essential third-party services not functioning. But could that happen to you? It's easy to assume those are "big business" problems. The truth is, any business that uses technology is at risk, and you can't afford to be caught off guard. Even more, this is not a technical challenge; it’s a challenge for people and your staff will be your greatest asset. However, they are also the ones who will face the lasting effects of emotional uncertainty, worry about job and future financial stability, stress from months of crises management. Not only do we need to equip our people to make safe digital decisions today, we need to help them recover and build resilience after the attack has come and gone. Preparation is key and a comprehensive cyber strategy is not the cost, but the foundation of operational resilience in today's connected world.
A cyber strategy, and indeed any good risk management planning starts with assessing likelihood and impact. This involves identifying and analysing the risk most pertinent in today's digital world. Cyber threats are at the top of the list. Cyber insurance exists to help protect businesses against the threat of cybercrime. It's a key part of a comprehensive cyber strategy.
For some losses, it is true that standard business insurance will provide adequate cover. However, general business insurance typically doesn't cover the risks from a cyber incident or attack. Cyber insurance covers exposures that traditional policies were never designed to address like data, digital assets, ransomware, and system outages. It protects the digital infrastructure, liabilities, and reputational risks that sit outside the scope of general liability & property insurance covers.
Cyber insurance helps you in several keyways:
● Covers Your Losses:
It can cover your business's own financial losses from a cyber event, which could be anything from a system outage to a privacy breach. This includes direct costs and a whole host of related expenses.
● Helps with Your Liabilities:
It protects you from liability claims from others that arise from a cyber event. This is crucial if a breach exposes a third-party's data and they decide to take legal action. An example of this is a service provider who may find themselves liable to their customers as a result.
● Insurance as a service:
Good cyber insurance isn't just a policy; it's a service. A good insurer will help you identify potential threats and vulnerabilities before they turn into major incidents, which saves a lot of money and headaches in the long run. Many providers offer a team of experts available 24/7 to help you prevent attacks and respond quickly if one occurs. They can provide services like proactive monitoring, threat intelligence, and even a team of forensic analysts and security engineers to get your systems back up and running after an attack.
For me, this third part is essential. Check your current insurer or broker if they don't proactively help, it’s time to start shopping around.
Investing in technical controls is a fantastic first step, but it's not a magic bullet. Think of it like putting locks on your doors and windows to prevent a break-in. You're taking great precautions, but you still buy home insurance in case a burglar finds a way in. A cyberattack is no different. Hackers are always evolving, and even the best security can be bypassed, often due to human error. Again, this is like the window being left unlocked by accident, no one's fault - but the burglar still got in!
Here's why technical measures alone can't guarantee your safety:
● Outsourcing to SaaS doesn’t eliminate legal risk:
You might think that if you outsource your IT, you're safe. Unfortunately, that's not true. If a third-party provider storing your data is breached, you could still be legally responsible for notifying affected individuals and dealing with regulatory actions.
● Technical controls are like a new car - losing efficiency from the time you leave the dealership:
Cyber threats are constantly changing, with generative AI now a major force multiplier for cybercrime. We're seeing more sophisticated attacks like "quishing" (QR code phishing), deepfake voice calls, and AI-generated malware that can evade conventional security tools. Traditional, static security methods just can't keep up with these dynamic threats. The recent spate of attacks on the British retail sector show that social engineering is still alive and well.
● Insurance and technical are not mutually exclusive:
The most effective approach is to view cybersecurity and cyber insurance as two parts of a single, unified risk strategy. They shouldn't be siloed. When you have a strong cyber posture, it shows insurers you're serious about protection, which can lead to better policy terms and lower premiums. It's a win-win: you reduce your risk of an attack and get rewarded for it.
All of this is underpinned by the human factor. Phishing, social engineering, and simple old-fashioned errors are still a core risk for businesses. As seen very recently in the UK high streets, social engineering can cause substantial operational disruption and delays. Even with the most robust technical controls, a single click on a malicious link can open the door to risk. We are preparing for what can go wrong by building resilient systems that can respond and recover with the minimum amount of damage possible.
I think the most persuasive argument is projected through simple numbers. The real cost and impact of a cyberattack is jaw dropping. When the UK government reported on breaches in early 2025 , the numbers were trending downwards. This is no longer the case. The financial damage from a cyberattack goes far beyond just a ransom demand. The costs can be staggering and have a ripple effect that can severely disrupt or even destroy a business.
Here's a look at the different ways a cyberattack can impact your business:
● Ransom demands:
Ransomware attacks have become more frequent and severe, with the average ransom demand increasing YoY by 100% since 2020. The NCSC advise not paying these demands.
● Direct losses:
This includes the theft of funds, which is increasingly done through social engineering scams.
● Operational disruption:
A cyberattack can cripple your IT systems, leading to business interruption and lost income. The UK high street retailers have experienced this first hand.
● Recovery and remediation costs:
These are the expenses you'll face to fix the damage, including IT forensics, data recovery, and repairing systems. These costs can be substantial, with the average direct cost for SME breaches reaching £15,000.
Of course, there are the more indirect types of costs:
● Reputational damage which can erode customer trust and lead to missed business opportunities.
● Legal and regulatory consequence meaning you could face significant fines and legal fees.
● Productivity costs - as the long term psychological safety of your employees is damaged, thereby preventing them from working efficiently and confidentially.
Hope is not a strategy when it comes to cyber threats. It's about being prepared for the inevitable, not just wishing it away. A robust cyber strategy must integrate both preventative security measures and a comprehensive cyber insurance policy. Investing in strong security controls is essential, but it won’t guarantee immunity from an attack, especially with evolving AI-powered threats and the persistent risks around social engineering. A cyber insurance policy is your crucial safety net, providing not just financial protection but also access to the expert teams needed to respond and recover from a breach.
- Annick O’Brien, General Counsel at CybSafe
Protect Your Business with Cyber Insurance and an Incident Response Plan
A strong insurance strategy should include an Incident Response Plan, enabling businesses to act quickly during cyber incidents and reduce impact. It helps minimise downtime, limit financial losses, preserve reputation, ensure regulatory compliance, investigate breaches, manage communications, and provide access to expert support.
Proactively strengthening cyber defenses lowers breach risk and demonstrates a commitment to security, potentially reducing insurance premiums. Combining security measures with insurance, supported by a human-focused risk management program, ensures safe digital decision-making before and after an incident.
Get in touch today for a cyber insurance quote to protect your operations, reputation, and bottom line!