Many small and medium-sized travel businesses still have “their heads in the sand” when it comes to insuring against cybercrime.

Steve Browne, senior account executive of Towergate Underwriting Travel Solutions, said firms often perceived the threat as low, despite government statistics showing nearly half of UK companies were victims of cybercrime in the year to April 2018.

In week six of Travel Weekly-backed Secure Our Systems (SOS) campaign, Browne said: “A lot of large operators and agents are aware they need to protect themselves and transfer as much risk as possible into an insurance policy.

“Many small and medium-sized companies are still sticking their heads in the sand. The predominant response we hear is “it’s never going to happen to me”, but we are all targets. I’d argue SMEs are even greater targets because of their lack of IT security and more simple technology.”

According to Touchstone Underwriting, around 52% of businesses think they have cyber cover in an existing policy but in reality less than 10% do.

New GDPR rules, which came out in May, increase operators’ responsibilities around securing data, while the cost of a breach has risen significantly, added Brown.

Browne said there was a general lack of knowledge in the trade as to the cost of a cyberattack in monetary, time and reputational terms.

According to the Verizon Data Breach Investigations Report, from May 2015, research based on 79,790 security incidents, the cost of fixing a data breach of 1,000 records is between £33 and £35 per record – and that’s just to look after the data breach victims.

Insurance cover takes three forms: rescue, response and restoration. Policies against cybercrime would cover the cost of aspects including access to professionals who can manage situations, investigate the cause of the attack, and get a business back up and running. They also include legal and PR support, defence costs, cyber business interruption and data restoration costs.

Browne stressed the cost of a cyberattack extends far beyond what most businesses expect and can include regulatory fines, subsequent claims by those affected through the civil courts and even criminal charges against directors of the business.