Cyber risk and the UK’s Cyber Essentials Scheme

Cyber risk is on the radar as a threat to business and private life, and it is also grabbing the attention of governments

Cyber risk is now well and truly on the radar as a threat to business and private life, and it is also grabbing the attention of governments.

The involvement of governments is (mainly) welcome, as we are in the throes of a three-cornered fight: there are those who want to steal data or vandalise it; governments that fear the consequences of lost data; and industry, which sees both the risks and a golden future in big data analytics and knowledge of customer needs. 

To be fair to the UK and US governments, as well as the EU, each has recognised the enormous productivity gains inherent in IT solutions, as well as the threats posed by them.

The UK government has just set out some basic measures that all organisations can use to reduce cyber risk, following a GCHQ-led review of cyber attacks. This initiative, the Cyber Essentials Scheme, is not intended to have the force of law. Instead, market forces will be left to drive compliance and adoption. 

However, as a form of encouragement, certification should become a requirement in some government procurement contracts – where it is relevant and proportionate. Given the size of the government's IT budget, this is likely to ensure a significant impact on the market.  The scheme is similar to the US government's Critical Infrastructure Cybersecurity Framework, although the US government is said not to want to make its version mandatory in procurement contracts.

The UK Cyber Essentials Scheme was formally launched on 5 June and aims to encourage organisations (not just businesses) to take steps towards achieving at least a basic level of cyber security that might prevent some 80% of attacks to which they would otherwise be vulnerable. 

The scheme builds on elements of ISO 27001, laying out a procedure for establishing resistance to cyber risk; the key aspect of the new initiative is that this resistance can be externally certified. External certification is important: it is designed to enable those dealing with an organisation – customers, suppliers and perhaps insurers – to know whether it meets a measurable minimum standard of cyber hygiene. This in turn should create a competitive advantage for those who demonstrate compliance over rivals who do not.

Once the scheme is up and running, applicants will be able to get certification showing the level of compliance they have attained. 

The most basic relies on self-assessment, building through a requirement for independently verified testing to a level that not only uses the independently verified testing process but also requires some insight into the way in which compliance will be maintained. The first two only provide snapshots at the time of certification; the top level, by looking into governance and process management, seeks to measure the sustainability of the cyber hygiene system.

There are significant areas of the scheme which have yet to be resolved. One example of this is the treatment of external cloud platforms essential for businesses that use cloud-based systems to carry out critical functions using sensitive data.

From a compliance and risk management point of view, the Cyber Essentials Scheme also sets a benchmark against which management may be judged and held accountable: cyber risk management is, of course, a corporate governance issue. 

Also, standards such as these may be used in the determination of negligence; losses that could have been prevented by the adoption of the Cyber Essentials may turn out to be uninsured (more on this later) and more easily shown to be the responsibility of the organisation that failed to prevent them.

This brings us to the insurance industry, which is developing cyber insurance policies and at the same time working to exclude "cyber" risks from standard insurance policies. As yet, we do not know how insurers will recognise Cyber Essentials certification; it might become a prerequisite for buying cyber or other insurance – certainly it could affect premiums. Insurers are already in dialogue with the Department of Business, Innovation and Skills about how the scheme will work and how, in practice, they will support and recognise it. 

One thing is already clear, however. Risk managers and IT specialists should be talking about the kind of insurance cover their business has; what cyber risks are excluded and what cover most meets their needs and perceived threats? There is, as yet, no standard cyber cover, and indeed the word "cyber" in the insurance context, does not have one single, accepted meaning.

This leads to the final point that I would like to make about cyber risk assessment and due diligence. As more functions are outsourced and carried out remotely, greater reliance is placed on third-party vendors. An audit and review of the terms on which third-party services are provided – particularly in cloud, data processing and telecoms – is a very important procedure. 

It is surprising how many companies do not have a cyber risk register; some do not even have a centralised register of the contracts under which theses risks arise. Without these registers, how can a business check, manage and insure the risks that it carries and for which vendors exclude liability? 

This is where legal, risk management and IT functions can work together to understand how exposure and risks arise and how contractual documentation addresses them. From a management point of view, it is very important to be able to show shareholders, customers and suppliers that there is a programme in place that regularly evaluates the cyber risks that could affect the business. Failure to do this may lead to loss of business, fines and worse.

Nigel Montgomery is a partner at Sidley Austin LLP's insurance practice

Read more on Hackers and cybercrime prevention