UK government joins forces with insurers on cyber security

Government collaborates with the insurance industry to improve how UK businesses manage cyber security risk

The UK government has joined forces with the insurance industry to improve how UK businesses manage cyber security risk.

The initiative builds on the government’s 10 Steps to Cyber Security guidance on managing cyber risk; and the Cyber Essentials Scheme to ensure basic cyber hygiene as part of the UK Cyber Security Strategy.

The government believes working with the insurance industry to develop a comprehensive cyber security insurance model is the next step to encouraging private-sector firms to manage cyber risk.

“Protecting the cyber security of UK businesses is an important part of this government’s long-term economic plan – we want the UK to be one of the most secure places in the world to do business,” said Francis Maude, minister for the Cabinet Office, after a meeting with 12 major insurance companies in London.

“We want to support the growth of a cyber insurance market in the UK, so we are very pleased to come together with the UK’s world-renowned insurance sector.

“Cyber insurance does not replace the need for good cyber security practice, but it is an added protection for businesses in the event of breaches.”

Government cyber security action

The meeting follows several months of discussions between government and insurers, to find a way to drive adoption of the standards set out in the Cyber Essentials Scheme (CES) in the private sector.

Compliance with the CES standards was introduced for government departments in June 2014 and was made mandatory for all suppliers of IT services to the public sector from 1 October 2014.

The risk of cyber attacks to business in the UK and globally is growing, according to a joint statement issued by government and its partners in the insurance industry.

The 2014 Information Security Breaches Survey found 81% of large enterprises and 60% of small businesses suffered a cyber security breach in the past year; and the average cost of breaches to business has nearly doubled since 2013.

Risk analysis and responsibility

The joint statement said that, by providing cyber breach and wider operational risk cover, insurers can play an integral role in driving improvements in cyber security risk management.

“By asking the right questions and helping customers, insurers and insurance brokers can promote good practice, including Cyber Essentials, that reduces the frequency and cost of breaches,” the statement said.

In addition to helping businesses meet the costs of security breaches, cyber insurance can provide front-end risk analysis to gauge the organisation’s exposure to cyber risk, said the statement. Insurance can also deliver rapid incident response services critical to minimising the impact of a breach, it said.

However, the statement said cyber insurance should not absolve businesses's responsibility to manage their risk of cyber attack.

“It should be seen as part of a holistic approach to cyber risk management, including business controls, investment in security and education of staff and customers,” the statement said.

Industry leads working groups

After the meeting, the government announced that industry-chaired working groups will be established, including representatives from government.

These working groups will explore how best to:

  • Use insurance to driver the improvement of cyber security practice in UK businesses, and in SMEs in particular;
  • Model the impact of cyber attack scenarios on UK businesses and the insurance response;
  • Explore the possible role of the insurance industry in reducing the impact of cyber attack on critical national infrastructure.

These groups will contribute to the shared goal of driving growth in the effective use of cyber insurance and establishing the UK as the leading market for global business. They will report their conclusions to the Cabinet Office by April 2015.

“Today's announcement further demonstrates the level of importance being placed by the UK government on the strategic importance for the business of Cyber Security,” said Mark Brown, director, cyber security and resilience at Ernst & Young (EY). 

Managing incentives

“Many firms are now focusing on how they protect against the consequential financial impacts of a cyber incident and are turning to insurance as a mechanism to alleviate risk.” 

However, Brown said that, while insurance offers financial protection to businesses, it does not give businesses incentives to invest in enhancing their cyber security defences. 

“Consideration should be given to rewarding businesses that demonstrate effective cyber security through certification schemes such as Cyber Essentials,” he said.

“Those organisations that show high levels of effective cyber security should be rewarded through options such as insurance premium reduction."

According to Brown, this would align with insurers offering protection against wider business interruption and ensure such risks were appropriately managed by businesses, and not just managed through insurance coverage.

Next Steps

Learn why cybersecurity insurance policies are increasing in popularity 

Read more on IT risk management