Is your dental practice covered for business interruption from cyber-attack?

Professional Risks Corporate Manager, Thomas Hogan, for Wesleyan Financial Services, outlines the potential impact of business interruption as a result of cyber-attack.

Any organisation that holds detailed and sensitive information is potentially at risk from cyber-attack and dental practices are no exception. According to a 2023 Cyber Security Breaches Survey by the UK Government - 31% of Micro businesses (1-9 employees) and 32% of small businesses (10-49 employees) across all UK sectors, identified a cyber breach or attack in the last 12 months.  ¹

In my opinion, cyber-attack is always going to be a significant risk for dental practices – especially for private dental practices that may not have the same level of resources to invest in protection as larger organisations such as the NHS.

There are a multitude of reasons why dental practices may be targeted by such criminal activity - it may be to access personal data, or in the case of some practices it may be to steal intellectual property that is used to design implants for example.

However, as most practice owners and managers are aware, data breaches are taken very seriously and can incur quite hefty fines from the Information Commissioner’s Office (ICO), not to mention the interruption to business – this means it is important to ensure that your practice has the right kind of cover in place. Understandably a number of dental practices don’t have the most up-to-date, or sophisticated software - this presents a real risk, as they are often deliberately targeted by criminals and unfortunately, this risk is constantly increasing as criminal cyber activity becomes ever more sophisticated.

What is cyber business interruption?

An interruption to business describes a period where you cannot carry out business as usual due to an unexpected event and as a result, income is lost - business interruption insurance serves to replace the lost income. However, not everybody realises that whilst many surgery policies include business interruption, cyber–attack is not covered – it’s an exclusion. This is because on a traditional type of policy, business interruption cover is typically triggered by damage to the property in the case of a fire or a flood for example, cyber-attack however, does not constitute property damage, but can cause serious interruption to business operation. Having a cyber policy not only covers the cost of rectifying any cyber issues but also any loss of income as a result.

What are the impacts of cyber-attack?

Cyber-attack can last for a long time if criminals successfully take control of the practice’s systems and access data. Everything has to be reinstated before the business is up and running again - this can take a long time. If this period of time is not covered, it can result in a significant loss of earnings. NHS practices do offer some kind of buffer against this and UDAs can be made up, but for private practices it can be more challenging to compensate for that loss of income. Having a separate policy for cyber insurance can significantly minimise the impacts of any potential loss of income.

How much of a risk is cyber-attack?

The risk of cyber-attack is increasing - if an attack does occur, it can be quite complex and require specialist IT support to resolve the problem. This is especially true if ransomware is involved or social engineering. The latter refers to types of simulations - where criminals might send a fake invoice for example, to thousands of people across different organisations.79% of Cyber-attacks in the last twelve months were attributed to social engineering². Most of the recipients will spot that the invoice is suspect, but it only takes one person to not notice. This often tends to be because the simulation coincidentally resonates with that person – they may have recently purchased something at the retailer the criminals are mimicking or an invoice from a trusted supplier and once the criminals are in, they can cause a lot of damage. Therefore, having the most sophisticated anti-malware systems in place certainly offers a good level of protection, but unfortunately this doesn’t guarantee that nothing will ever happen.

Even if nothing is stolen, the official process of notifying patients and staff that their data has been accessed following a cyber-attack can cost a lot of time, money and resources.

What type of policy do I need?

The type of policy required will depend on a number of factors. The biggest driver of the premium is typically the practice’s income - generally speaking, the greater the income, the higher the number of patients.

Seeking specialist support

Cyber-attack is constantly evolving – as soon as a vulnerability is identified and patched, the criminals are already working on something else – making it something of a constant game of cat and mouse. That is why it is so important to seek specialist advice to ensure that you have the appropriate cover in place for your business, so that in the event that criminals are able to access the systems of your practice, you will be covered for any potential loss in earnings.

Wesleyan Financial Services Limited is a broker and its insurance products are provided by a number of selected insurers.

For support and guidance on cyber security for your practice or for a quote, get in touch with the team by calling 0800 231 0826 or visit Insurance for dentists | Wesleyan or email: This email address is being protected from spambots. You need JavaScript enabled to view it.

About Tom With over 10 years’ experience at Wesleyan Financial Services, Tom focuses on supporting dental and legal firms with their insurance needs. From sole traders and SMEs to some of the UKs largest dental corporate groups, and is dedicated to providing his clients with specialist risk management advice and support tailored to their circumstances.  

Wesleyan Financial Services Ltd (Registered in England and Wales No. 1651212) is authorised and regulated by the Financial Conduct Authority. Registered Office: Colmore Circus, Birmingham B4 6AR. Telephone: 0345 351 2352. Calls may be recorded to help us provide, monitor and improve our services to you. security breaches survey 2023 - GOV.UK (www.gov.uk)