Aviva's Cyber Mythbusters

There are a host of cybersecurity myths and misconceptions that we come across on a daily basis here at Aviva Cyber, and we thought we’d address some of them here. These are not the only ones of course, but failure to see the other side of these can generally be costly for businesses.

"I won't be targeted by cyber criminals"

Many individuals and businesses believe they are not valuable targets for cyber criminals, thinking that only large corporations or wealthy individuals are at risk. However, this is a dangerous misconception. We are all valuable targets for attackers seeking financial gain. Cyber criminals often use automated tools to scan the internet for vulnerabilities, meaning that anyone with an internet connection can be a target [1,2]. Large-scale ransomware attacks, such as the infamous WannaCry attack, were self-replicating and indiscriminate, spreading rapidly across the globe without targeting specific individuals or organisations [3,4]. This attack affected hundreds of thousands of computers in over 150 countries, demonstrating that cyber criminals do not need to select their targets manually [4]. Instead, they rely on spraying techniques and mass scanning to find and exploit vulnerabilities, making it easier and more efficient to launch widespread attacks [1]. Therefore, it is crucial for everyone to take cybersecurity seriously and implement protective measures.

"I don't need cyber insurance; my IT is outsourced."

Another common myth is that businesses do not need cyber insurance if their IT services are outsourced. This belief overlooks the broader impact of a cyber-attack, which extends beyond simply getting systems back online. The financial repercussions of business interruption can be substantial, with potential losses running into the millions [5,6]. Additionally, a cyber-attack can damage a company's reputation, leading to lost contracts and a decline in customer trust due to perceived security weaknesses [7,8]. It is also important to recognise that cybersecurity is a specialised field. Most Managed Service Providers (MSPs) are themselves small to medium-sized enterprises (SMEs) and may not have the resources or expertise to provide comprehensive support in the aftermath of an attack [9,10]. Effective incident response often requires a multidisciplinary approach, involving legal experts, digital forensics specialists, and public relations professionals [8]. Cyber insurance can help cover these costs and provide access to the necessary expertise, ensuring that businesses are better prepared to handle the aftermath of an attack [5].

"It's hard to put a number on cybersecurity risk."

Many businesses believe that quantifying cybersecurity risk is an impossible task, and therefore can at times sweep it under the rug and forget about it. However, there are several methods and tools available to help organisations assess and manage their cyber risk. One such methodology is OpenFAIR, which provides a structured approach to quantifying risk in financial terms [11]. Additionally, scanning tools can provide valuable data, such as Exploit Prediction Scoring System (EPSS) numbers, which indicate the likelihood of a vulnerability being exploited [12]. Insurers also have access to extensive claims data, offering real-world examples that can help businesses understand the level of risk they face [13]. This data can be instrumental in determining the appropriate level of investment in cybersecurity measures. Aviva have dedicated cyber risk management teams that can assist businesses with their cybersecurity concerns, providing guidance and support to help them navigate the complex landscape of cyber threats [14]. By leveraging these resources, organisations can gain a clearer understanding of their cybersecurity risk and take proactive steps to mitigate it.

What do I need to know?

UK GDPR, the ICO and how Aviva can help when an organisation suffers a Cyber incident

• When an organisation in the UK believes they have suffered a data breach, they are required by UK GDPR to notify a personal data breach within 72 hours of first awareness if the organisation is the Controller of that data. Within UK GDPR regulations, organisations also have other responsibilities, that upon notifying a data breach to the Information Commissioners Office (ICO), they will check to see if you have adhered to these regulations to the best of your ability and have not breached UK GDPR.

• The ICO have various enforcement powers for a breach, including assessment notices, warnings, reprimands, enforcement notices and penalty notices, including the powers to issues fines of up to £17.5m or 4% of an organisation’s turnover. This can be severely damaging to an organisations ability to trade, their reputation and balance sheet. It can also open an organisation up to further litigation from impacted data subjects.

• During a Cyber incident, organisations will be focused on investigating the incident, but also trying to get their systems back up and running as soon as possible to continue providing services to their customers.

• Upon awareness of a personal data breach, most of the time an organisation is experiencing an attack simultaneously, and so this can be quite a stressful time for an organisation who, as a result of being the victim of a crime, are now having to manage various exposures including the personal data they were in control of being downloaded by a hacker and exposed on the internet.

What Aviva and other Cyber insurers do for organisations

• Aviva, alongside our panel vendors, work closely with lawyers who are experts in Cyber risk and the regulatory landscape in the UK. These lawyers, alongside Aviva have dealt with thousands of cyber incidents and data breaches.

• We instruct these lawyers within the first 2 hours of an incident being reported to us.

• Not only will these law firms assist the Insured in their cyber incident response more generally, but they will have legal oversight of the investigation and recovery undertaken by any cyber incident responder.

• Where not explicitly mentioned under contract, law firms can assist in determining whether an organisation is the Controller, or Processor, of that data. A Controller and Processor have different responsibilities when it comes to a data breach under UK GDPR.

• They will provide advice to our Insureds where they believe a personal data breach has occurred based on the information they know and assist the Insured in notifying the ICO to enable best outcomes.

• Sometimes, organisations do believe they can do this themselves, however the content of their notification can inadvertently open themselves up to further questions and enforcement action from the ICO as a result.

• When questioned by the ICO, the law firms instructed can assist in ensuring any answers provided are not only accurate, but comforting to the ICO where possible that the organisation is doing everything they can to assess and mitigate any harm to individuals.

• The law firms will also advise where relevant, that the data breach is over the threshold of Article 34 of UK GDPR and will assist the Insured in making notifications are sent to data subjects regarding the data subject, are compliant with Article 34 and, whilst providing accurate information, ensuring that harm is mitigated and reducing the exposure for costly litigation.

1. https://www.techtarget.com/searchsecurity/resources/Security-analytics-and-automation

2. https://www.techtarget.com/searchsecurity/ehandbook/The-time-is-ripe-to-implement-cybersecurity-automation

3. https://www.bbc.com/news/technology-40811972

4. https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

5. https://www.insurancejournal.com/news/international/2021/10/14/637049.htm

6. https://www.insurancejournal.com/news/international/2025/01/15/808282.htm

7. https://www.forbes.com/councils/forbestechcouncil/2022/04/08/ransomware-damage-are-you-forgetting-about-your-reputation/

8. https://www.forbes.com/councils/forbestechcouncil/2025/01/22/amid-record-cyberattacks-identity-security-is-a-must-for-enterprises/

9. https://www.csoonline.com/article/572791/five-eyes-nations-warn-msps-of-stepped-up-cybersecurity-threats.html

10. https://www.csoonline.com/article/2070139/study-cybersecurity-burnout-impacts-88-of-cybersecurity-and-it-roles-in-singapore-what-can-you-do-as-an-msp-to-help.html

11. https://www.risklens.com/resource-center/blog/4-powerful-ways-to-use-the-risklens-cyber-risk-quantification-platform

12. https://www.first.org/epss/

13. https://www.insurancebusinessmag.com/us/news/breaking-news/report-highlights-urgent-need-for-cyber-insurance-521812.aspx

14. https://www.aviva.co.uk/risksolutions/building-your-business-resilience/cyber-and-data-management/