Cyber Insurance premiums set to rise as Retail Sector faces growing Cyber Threats

As cyberattacks on retailers in the United Kingdom continue to surge, insurers are rethinking how they approach cyber insurance for the retail sector. With the frequency and sophistication of these attacks on the rise, underwriters are contemplating a significant increase in premiums—by as much as 10 percent—or, in some cases, reconsidering whether to issue policies for retail businesses at all.

Over the past two to three weeks, high-profile retailers such as Harrods, Marks and Spencer, and Co-Op have fallen victim to cyberattacks, with the incidents occurring within just a few days of each other. These attacks serve as a stark reminder of the vulnerabilities that exist within the retail sector, pushing insurers to re-evaluate the level of risk associated with covering these businesses.

In response to these increasing threats, underwriters have placed retail businesses operating in the UK under intense scrutiny. Insurance companies are likely to reassess the cybersecurity measures in place at each company, including evaluating the strength of their IT infrastructure and the presence of skilled in-house teams capable of mitigating cyberattacks. For businesses that appear to be at high risk, insurers may offer access to third-party forensic teams that specialize in defending against cyber threats. However, these additional services will come at a cost—likely increasing premiums even further.

A Parallelogram of Risk: Cyber Insurance and Traditional Coverage

The process of determining the right cyber insurance premium isn’t entirely different from how other types of insurance, such as health or motor insurance, are priced. In all cases, the insurer must first assess the level of risk involved before suggesting a premium amount. For instance, just as health insurers assess an individual’s medical history before offering a policy, or motor insurers examine a driver’s record before providing a quote, cyber insurers need to evaluate a company’s vulnerability to attacks.

If a company is deemed too risky—whether due to outdated systems, a lack of cybersecurity measures, or a history of previous incidents—the insurer may either reject the policy outright or increase the premium by as much as 100%. This increase would help offset the higher costs the insurer would incur in the event of a breach. In both scenarios, the insurer stands to benefit, as the costs of dealing with potential claims are effectively shifted to the policyholder.

The Importance of Cyber Insurance for Retailers

For Chief Information Officers (CIOs) and Chief Technology Officers (CTOs) who may be tempted to avoid taking out cyber insurance policies, it’s important to consider the long-term implications of a cyberattack. Imagine your business falling victim to a sophisticated ransomware attack, where hackers encrypt critical files and demand a ransom for their release. The impact of such an attack can be devastating, leading to significant financial losses due to downtime, recovery efforts, and customer churn during the period when the business is offline.

In these cases, the cost of recovery can far exceed the price of insurance premiums, which are relatively modest in comparison to the potential financial damage. For retailers in the UK, the average annual premium for a £1 million coverage policy is around £20,000. However, the actual premium can fluctuate significantly based on several factors, such as:

The Type of Asset: Retailers must insure not only their physical infrastructure but also digital assets, which include customer data, intellectual property, and payment systems.

Risk Factors: Insurance companies will evaluate how likely a business is to experience a cyberattack, based on factors such as its sector, the types of data it handles, and its previous history of incidents.

Security Measures in Place: A company’s preparedness to prevent and respond to attacks plays a critical role in determining premium rates. Retailers with robust cybersecurity measures—such as firewalls, encryption, and employee training programs—may be able to lower their premiums by demonstrating a lower risk.

Associated Costs: In the event of an attack, the insurer will factor in the likely costs of recovery, including forensic investigations, legal fees, regulatory fines, and damage to the company’s reputation.

Conclusion: Why Cyber Insurance is Essential for Retailers

In today’s digital age, no company is immune to the risks posed by cybercrime. Retailers, in particular, are prime targets due to the vast amounts of sensitive data they handle, from customer information to payment details. The question isn’t whether your business will be targeted—but when.

Given the potential financial losses and reputational damage that can result from a cyberattack, cyber insurance is no longer a luxury; it’s a necessity. While premiums may increase as insurers adjust to the growing threat landscape, the cost of coverage is a small price to pay when compared to the potential impact of a breach.

Retailers must recognize that cybersecurity is a shared responsibility between themselves and their insurers. By investing in strong cybersecurity measures and working closely with insurers to understand their risks, businesses can help mitigate the financial impact of cyberattacks and safeguard their long-term survival.