Only a quarter of cyber security employees say their firm has cyber insurance

Half of companies don't have cyber insurance, and many of those don't intend to buy any soon either

Only one-quarter (24 per cent) of UK cyber security professionals say that their firm has cyber insurance, a report by recruiters Harvey Nash has indicated.

Half of around 200 IT security professionals in the UK surveyed by the recruitment firm said that their companies didn't have cyber insurance, and 26 per cent said that they didn't know.

Harvey Nash added that the fact that only one-in-four senior information security professionals were aware that their organisation had secured cyber insurance was surprising, particularly as in their survey, the security professionals had all suggested that their companies were well-prepared in case of a cyber-attack.

When the cyber security professionals who said they didn't have cyber insurance were asked if they had plans to buy any in the next 12 months - nearly half (46 per cent) said that they didn't have any plans, while more than one-quarter said that they did (26 per cent) and 28 per cent said they didn't know.

Harvey Nash found that only 19 per cent of senior information security professionals at small organisations (£50m or less in revenue) currently have cyber insurance; this increases to 29 per cent at mid-sized organisations (£50m-£500m revenue), and at larger organisations (£500m+ revenues) the proportion falls again, to less than a quarter (24 per cent).

The recruitment firm suggested that the low proportion of companies with cyber insurance was an indication that perhaps the cyber insurance products currently on offer were not mature enough to provide the coverage that respondents were seeking - or that perhaps senior cyber security pros believe their colleagues in the finance function should be primarily responsible for insurance coverage.

"Whatever the reason, it is clear that with rising information security threat levels and growing regulatory burdens that include compensation for customers affected by cyber breaches the market for insurance needs to adapt to support these changes," the report reads.

Last year, a government report suggested that only two per cent of large companies in the UK had explicit cyber security cover, and this drops to closer than zero. The maturity of the market could be one reason, but there is scepticism from chief information security officers; the most common reason for not purchasing a cyber-insurance policy was the belief that insurers would not actually pay out on a claim, according to a survey by KPMG.

Recently, US casino company Affinity Gaming said it used $1.2m of a $5m cyber-insurance policy on a security breach it suffered. It is seeking $100,000 in damages from Trustwave, which allegedly claimed that it had already dealt with the breach, only for Affinity Gaming to find out later that its systems had still been compromised.