UK aims to become world centre in cyber security insurance

The UK aims to become a global leader in cyber security insurance through a set of joint initiatives between the government and the insurance sector

The UK aims to become a global leader in cyber security insurance through a newly announced set of joint initiatives between the government and the insurance sector.

The initiatives are designed to help firms get to grips with cyber risk, to establish cyber risk insurance as part of firm’s cyber tool kits and to establish London as the global centre for cyber risk management.

The plan is detailed in a report published by the government and Marsh, one of the UK’s leading insurance brokers and risk advisors.

The report follows a meeting in November 2014 between Cabinet Office minister Francis Maude and 13 major insurance firms to discuss ways of improving how UK businesses manage cyber security risk.

The report builds on the 10 Steps to Cyber Security guidance on managing cyber risk and the Cyber Essentials Scheme to ensure basic cyber hygiene as part of the UK Cyber Security Strategy.

Those at the meeting agreed to work together to develop proposals to improve the availability and uptake of cyber insurance by UK companies.

A joint working group was set up and has produced a definitive report on the UK cyber insurance market, providing key statistics, findings, insights and key recommendations. 

According to the report, 81% of large UK businesses and 60% of small companies suffered a cyber security breach in the past year.

The report, entitled UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk, highlights the exposure of firms to cyber attacks among their suppliers.

A key agreement detailed by the report is that participating insurers will include the government’s Cyber Essentials certification as part of their risk assessment for small and medium-sized enterprises (SMEs).  

A key initiative announced in the report is that Marsh is to launch a new cyber insurance product for SMEs which will absorb the cost of Cyber Essentials certification for the majority of firms.

The government has encouraged other brokers to follow suit. The cost of certification has been identified by a number of commentators as being the biggest obstacle to SMEs.

Cyber threats increasingly costly to UK economy

Cyber threats are estimated to cost the UK economy billions of pounds each year with the cost of cyber attacks nearly doubling between 2013 and 2014. 

The report revealed hat, while larger firms have taken some action to make themselves more cyber secure, they face an escalating threat as they become more reliant on online distribution channels and as attackers grow more sophisticated. 

The report issues a call to arms for insurers and insurance brokers to simplify and raise awareness of their cyber insurance offering, and to ensure that firms understand the extent of their coverage against cyber attack.

Companies are recommended to stop viewing cyber largely as an IT issue and focus on it as a key commercial risk affecting all parts of its operations.  The report also recommends that firms examine the different forms of cyber attacks they face, to stress-test themselves against them and to put in place business-wide recovery plans.

Read more about cyber insurance

The report also notes a significant gap in awareness around the use of insurance, with around half of firms interviewed being unaware that insurance was available for cyber risk.

Other surveys show that despite the growing concern among UK companies about the threat of cyber attacks, fewer than 10% of UK companies have cyber insurance protection even though 52% of chief executives believe their companies have some form of coverage in place.

The UK government is hosting an event at the Cabinet Office on 23 March 2015 for senior executives of insurers and top UK companies on the role of insurance in managing growing cyber threats. 

Maude, who has overseen the UK cyber security strategy, said in a statement that it is part of the government's long-term economic plan to make the UK one of the safest places in the world to do business online.

“The UK’s insurance market is world-renowned and we want it to be the same in relation to cyber risks. The market has extensive knowledge and experience of more established risks to help businesses manage and mitigate relatively new cyber risks,” he said.

However, Maude said insurance is not a substitute for good cyber security, but is an important addition to a company’s overall risk management. 

“Insurers can help guide and incentivise significant improvements in cyber security practice across industry by asking the right questions of their customers on how they handle cyber threats,” he said.

Marsh UK & Ireland chief executive Mark Weil said that while critical infrastructure in regulated sectors, such as banks and utility firms, are used to this kind of risk, most firms are not and their risk management practices are geared around lower-level, slower-moving risks.

“Companies will need to upgrade their risk management substantially to cope with the growing threat of cyber attack, including introducing disciplines such as stress-testing, and creating a joined-up recovery plan that brings together financial, operational and reputational responses,” he said.

Key findings of the report:

  • Insurers can help firms better manage their cyber risks. By asking the right questions and educating clients, insurers can help drive the adoption of cyber security best practice, including Cyber Essentials.
  • The UK insurance sector is already a world-leader. With initiatives like this the sector is demonstrating that the UK is the natural home for a growing global cyber insurance market.
  • Insurers support shows the success of government’s Cyber Essential Scheme. They recognise having Cyber Essentials certification is a valuable indicator of a mature approach to cyber security in SMEs that contributes to the reduction of risk.
  • The contributing insurers will incorporate Cyber Essentials into their risk assessment process for SMEs, making it easier for firms to get coverage.
  • Firms place cyber amongst their leading risks in terms of likelihood and severity of impact.
  • Banks and national infrastructure organisations are generally better equipped in modelling cyber risks which can be very fast moving and damaging whereas most other businesses are not as well equipped to deal with this type of "tail risk".
  • Modelling of cyber risk has been difficult due to a lack of available data. However, there are alternative approaches to valuing the risk of cyber attack including using stress testing.
  • There is a lack of awareness of cyber insurance and certainty about coverage – fewer than 10% of companies have cyber insurance according to recent surveys.
  • A lack of data pooling poses a challenge for the insurers in the development of their pricing models and coverage.
  • The potential for the aggregation of losses impacting a large number of firms and arising from a is a growing concern for insurers.
  • The UK insurance market has a history of underwriting large complex risks and has established itself to be a leading market in the provision of cyber insurance.

Key initiatives and recommendations of the report:

  • Participating insurers will include the Cyber Essentials certification as part of their cyber risk assessment for SMEs when backed by a suitable insurance policy in order to improve their supply chain resilience. This will simplify the application process for businesses.
  • A new forum will be established HM Government with the insurance sector, including the Association of Business Insurers and Lloyds, on data and insight exchange for policy discussions.
  • Firms should review their management of cyber risk. Effective risk management needs to include a board-level owner for cyber risk, a joined up recovery plan and the use of stress testing to confirm financial resilience against cyber threats.
  • Participating insurers will include Cyber Essentials accreditation as part of their risk assessment for SME to encourage greater adoption. 
  • Brokers should provide firms with a cyber assurance statement to give the Board confidence of the completeness of their cover.
  • Lloyds will work with UK Trade & Investment to market the cyber capabilities of the London Insurance market globally.
  • A new multi-disciplinary taskforce set up by CityUK is aimed at bringing together different sectors to accelerate discussions on a joint UK cyber offering related to insurance for export.

Read more on IT risk management