Cyber security insurance: new steps to make UK world centre

23 Mar 2015 09:32 AM

A new report has been published on the joint initiatives between government and the insurance sector to tackle cyber risk.

Last year 81% of large UK businesses and 60% of small companies suffered a cyber security breach. A report published on 23 March by HM Government and Marsh, one of the UK’s leading insurance brokers and risk advisors, announces new joint initiatives between government and the insurance sector to help firms get to grips with cyber risk; to establish cyber insurance as part of firms’ cyber toolkits and cement London as the global centre for cyber risk management.

The report, ‘UK cyber security: the role of insurance in managing and mitigating the risk’, has been produced in collaboration with the UK’s insurance market and a number of top UK companies. It aims to make the UK a world centre for cyber security insurance. In particular, it highlights the exposure of firms to cyber attacks among their suppliers with a key agreement that participating insurers will include the government’s Cyber Essentials certification as part of their risk assessment for small and medium businesses.

Cyber threats are estimated to cost the UK economy billions of pounds each year with the cost of cyber attacks nearly doubling between 2013 and 2014. The report found that, while larger firms have taken some action to make themselves more cyber-secure, they face an escalating threat as they become more reliant on online distribution channels and as attackers grow more sophisticated. It issues a call to arms for insurers and insurance brokers to simplify and raise awareness of their cyber insurance offering and ensure that firms understand the extent of their coverage against cyber attack.

Companies are recommended to stop viewing cyber largely as an IT issue and focus on it as a key commercial risk affecting all parts of its operations. The product of collaboration between government and the sector following a summit held last November, the report recommends that firms examine the different forms of cyber attacks they face, to stress-test themselves against them and to put in place business-wide recovery plans.

The report also notes a significant gap in awareness around the use of insurance, with around half of firms interviewed being unaware that insurance was available for cyber risk. Other surveys suggest that despite the growing concern among UK companies about the threat of cyber attacks, less than 10% of UK companies have cyber insurance protection even though 52% of CEOs believe that their companies have some form of coverage in place.

On 23 March, Francis Maude, Minister for the Cabinet Office with responsibility for the UK Cyber Security Strategy, is hosting an event at the Cabinet Office for chairmen and senior executives of insurers and top UK companies on the role of insurance in managing growing cyber threats.

Francis Maude, Minister for the Cabinet Office and Paymaster General said:

It is part of this government’s long-term economic plan to make the UK one of the safest places in the world to do business online. The UK’s insurance market is world renowned and we want it to be the same in relation to cyber risks. The market has extensive knowledge and experience of more established risks to help businesses manage and mitigate relatively new cyber risks.

Insurance is not a substitute for good cyber security but is an important addition to a company’s overall risk management. Insurers can help guide and incentivise significant improvements in cyber security practice across industry by asking the right questions of their customers on how they handle cyber threats.

Mark Weil, CEO of Marsh UK & Ireland, added:

While critical infrastructure in regulated sectors, such as banks and utility firms, are used to this kind of risk, most firms are not and their risk management practices are geared around lower-level, slower moving risks. Companies will need to upgrade their risk management substantially to cope with the growing threat of cyber attack, including introducing disciplines such as stress-testing, and creating a joined-up recovery plan that brings together financial, operational, and reputational responses.

Ross McEwan, CEO of Royal Bank of Scotland Group, said:

Cyber security and the importance of managing cyber risk as a business risk is something we take very seriously at RBS. At RBS we have an ambition to be a bank that supports small businesses and helps them to grow. We see this growth going hand in hand with strong and resilient companies, both large and small. That is why we’re delighted to support this report and encourage further effort from industry and government to help SMEs stay strong in today’s digital world.

Key findings from the report

Recommendations include

For insurers and government:

For businesses:

For insurance brokers:

For the market:

Notes to editors

On 5 November Francis Maude held a summit which committed government and the insurance sector to work together to develop proposals to improve the availability and uptake of cyber insurance by UK companies. A joint working group was set up and has produced a definitive report on the UK cyber insurance market providing key statistics, findings, insights and key recommendations.

The report, ‘UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk’, is based on input from 13 London insurers and a number of large companies.

The Cyber Essentials scheme was launched on 5 June 2014. This new government-backed and industry supported scheme guides businesses in protecting themselves against the most common cyber threats. Cyber Essentials documents are free to download and any organisation can use the guidance to implement essential security controls. Organisations successfully independently assessed by a certification body can achieve a Cyber Essentials award to demonstrate that they meet the government endorsed set of basic controls on cyber security.

The ‘Ten Steps to Cyber Security’ guidance and the cyber security guidance for small businesses show companies how they can manage cyber security risk and put best practice in place.

The ‘UK Cyber Security Strategy’, published in November 2011, provided government with a framework and objectives in tackling cyber threats, promoting awareness and providing a growing platform of strong private sector partnership. The strategy is supported by £860 million of funding from the National Cyber Security Programme which has helped put in place new initiatives and structures as part of the government’s response to growing threats in cyberspace.

In December 2014, government published the third annual report on progress against the strategy, achievements and spend on the National Cyber Security Programme as well as forward plans.