Cyber attacks such as ransomware can pose an existential threat to businesses. The most recent reminder is the announcement that KNP Logistics, a Kettering-based haulage group which includes the 158-year old firm Knights of Old, has gone into administration following a ransomware attack, with up to 730 jobs in the balance. The group was apparently already struggling, but the administrators are clear that the attack was the catalyst for the insolvency, adversely impacting on the group's operations and finances.  

Whilst such catastrophic outcomes are fortunately relatively rare, insolvency following a cyber attack is nonetheless a real concern to many organisations. Indeed, a 2022 cyber readiness report, prepared by an insurer following its survey of some 5,000 businesses, noted: "One in five (20%) of businesses across eight countries said that a cyber attack almost rendered them insolvent ... an increase of almost a quarter (24%) compared to the previous year." This concern is likely only to worsen in a challenging economic climate. 

Of course, one of the ways to transfer (some of) the financial risk of a cyber incident such as ransomware is through appropriate insurance - often a standalone cyber policy.  Cyber insurance is not, however, a silver bullet; and prevention is still better (and more cost-efficient) than cure. This involves assessing and managing cyber risks. 

No wonder then that the Information Commissioner recently observed, in the context of a £4.4 million fine issued to a construction company following a cyber attack, that the biggest cyber risk is complacency, not hackers. He said: 

The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office."

So if the prospect of insolvency is not motivation enough to prioritise cyber risk, a seven-figure regulatory fine might just be.