Interview with Duncan Sutcliffe, Director of Sutcliffe & Co.

Cyber Security and the Insurance Industry. 

Many organisations are interacting more and more with their customers digitally, and routinely hold a wealth of their clients personal information. For cyber criminals, this data is as good as cash.

With the rapid technological developments in today’s threat landscape, it’s true to say that no organisation is immune to a cyber breach. With this in mind, cyber liability insurance has become an essential component for security conscious businesses as an added layer of protection alongside their existing risk management framework.

Sutcliffe & Co’s director, Duncan Sutcliffe, has been recognised by his industry peers and by Insurance Business UK as a Top Specialist Broker for his passion and dedication within the arena of cyber security and data protection insurance .

We caught up with Duncan to ask him about his experience in the insurance sector and the growing awareness and demand for Cyber Security insurance.

As an insurance broker, what led you to specialise in cyber security insurance?

Our business deals with a wide variety of business and insurance types but the one thing nearly all of them have in common is their reliance upon cyber & data. I could see this risk growing and how important it is for business owners to protect their data. Most other brokers remained focused on traditional risks like fire & flood.

How are you involved with IASME?

Any business that achieves Cyber Essentials certification who has a turnover under £20m and is based in the UK automatically gets cyber insurance, we provide that insurance. 10 years ago, cyber insurance policies were largely unobtainable for SMEs, so I was looking for a simple way to make the process easier and affordable for SMEs and underwriters. I had known Emma Philpott, CEO of IASME, for many years and, at a chance reunion, she told me about this fantastic scheme, Cyber Essentials, she had for simplifying cyber hygiene for SMEs and how she hoped it would become an internationally recognised Cyber Assurance standard. Instantly I saw the synergy of cyber assurance and cyber insurance that has long been understood with physical security.

What cyber security certifications does your company have in place?

It goes without saying we have Cyber Essentials Plus and IASME Governance. We also have a culture within our organisation of being cyber aware, putting security before functionality and recognising we could always do better.

How do you find the process of upkeeping/ managing that?

It is relatively painless – especially as I delegate most of it! Sometimes I have to educate new suppliers and users that security is just as important as functionality, which can be a new concept for some!

Do you anticipate your security concerns changing in the future? 

The world is changing so quickly.  A few years ago, most of us had never shopped online, worked remotely or taken part in a webinar – these are now part of the new normal. What concerns me is the proliferation of gadgets & apps which are almost essential if we are to be part of society but many of these gadgets & apps have minimal security and users don’t care.

Let talk about Cyber Insurance. What kind of organisation would tend to take this out? Do you think it is used enough?

Large organisations with in-house risk teams generally have cover but I would estimate less than 5% of SMEs in the UK have cyber or data insurance and I guess many don’t even know what it is. Some sectors who are more regulated or targeted are more cyber aware and are more likely to purchase cyber insurance – such as lawyers, accountants, schools and of course the IT and insurance sectors. But, in reality most businesses still purchase insurance against traditional and unlikely events like fire, burglary and injuries whilst ignoring the far more likely events of cyber & data risks. However, this appears to be changing and I can predict cyber insurance becoming a normal business purchase like it is in the US.

What was the path that took you to where you are today?

After university I spent 6 years in the Army and 3 years in management before falling into the family insurance business. Unsurprisingly insurance was never a boyhood dream, but I was instantly hooked – it is all about problem solving and helping people.

What is the most rewarding part of your job?

I love solving people’s problems and helping them. Most business owners don’t enjoy insurance or risk management so being able to remove that burden is wonderful; even more heartening is being able to bring positive outcomes from horrible claims – I can visibly see the weight being lifted from client’s shoulders. I am also lucky to work with a fabulous bunch of people and to have become close friends with many of my clients.

What are your biggest frustrations about cyber security?

Everyone is aware of the risks but so few people take even basic steps to protect themselves. It is also frustrating that manufacturers make very little effort to secure their products.

What cyber security advice would you give to businesses in general?

Train staff in cyber awareness and work towards Cyber Essentials certification.

Where do you feel businesses should look for authoritative advice on cyber security?

NCSC produces some excellent advice, as do other organisations like Get Safe Online, however I think most people respond better to actual lessons so investing in outsourced cyber security training is a good outlay.

What are you excited about?

I am really excited about how Cyber Essentials is finally taking off with suppliers & customers recognising its value. I am also excited that after many years of me lecturing people about online security, they are now actually coming to me and asking for cyber insurance.

Sutcliffe & Co pride themselves on their honest and impartial expert advice, personally helping their customers find the right insurance for their needs. If you are interested in learning more about cyber security risk, mitigation and cyber insurance, Sutcliffe & Co have put together some excellent cyber resources. These include a cyber risks and liabilities information sheet series, cyber risk exposure calculator, cyber liability toolkit, and a cyber-attacks guide to give you just a glimpse.