Insurers join government in cyber security initiative
Written by Deborah Ritchie
Cyber threats pose a considerable risk to UK companies and industry is by far the biggest victim of cyber crime. 81% of large businesses and 60% of small businesses suffered a breach in the last year with the average cost of breaches to business nearly doubling since last year.
To address this, a dozen of the UK’s leading insurers met with the Minister and Cabinet Office, UK Trade & Investment, Department for Business, Innovation & Skills and GCHQ officials to discuss the issue and agree a joint statement on how to grow the cyber insurance market to improve cyber security for UK businesses.
This latest initiative builds on government’s ongoing partnership with industry under the National Cyber Security Programme (NCSP) to ensure that UK businesses have better cyber security protections in place. Guidance such as the 10 steps to cyber security for businesses and the Cyber Essentials scheme provide clear practical advice on what cyber security controls organisations should have in place. Today’s joint statement also recognises that the government and industry supported Cyber Essentials scheme helps businesses protect against the most common cyber threats
Minister for Cabinet Office, Francis Maude said: “Protecting the cyber security of UK businesses is an important part of this government’s long-term economic plan – we want the UK to be one of the most secure places in the world to do business. We want to support the growth of a cyber insurance market in the UK so we are very pleased to come together with the UK’s world-renowned insurance sector. Cyber insurance does not replace the need for good cyber security practice but is an added protection for businesses in the event of breaches.
The aim of the initiative is to highlight the risk to UK business posed by cyber attack, and commits industry and government to closer working to develop the UK’s cyber insurance market.
The insurance sector is in a strong position to drive improvements in cyber security risk management. The sector recognises the role it can play in improving good practice by asking the right questions of customers in relation to their cyber breach and operational risk policies.
Mark Weil, CEO of Marsh UK & Ireland, said: “As recent network attacks and data breaches have demonstrated, cyber security events can quickly accumulate significant costs, inflict reputational damage, and undermine investor confidence. A massive data breach will invite litigation, generate regulatory fines, and instigate law enforcement investigations. Cyber attacks can even cause physical damage by manipulating control processes. Companies should be assessing their vulnerability to cyber attack and taking advantage of risk management and insurance solutions to mitigate the potential for these events to harm their business.
John Hurrell, CEO of Airmic, the UK association for risk managers and insurance buyers, said: "Cyber risk is an enormous challenge which cuts across a wide range of stakeholders and this initiative correctly recognises the need for a coordinated effort to improve the management of cyber risk in business. Airmic very much welcomes closer engagement between the government and the insurance industry, and believes the insurance industry has a critical role to play in improving awareness and informing the debate. We hope that this will in turn foster closer working relationships between other key players, including between IT and risk functions within organisations.
The event was also used to highlight the establishment of working groups to focus on key issues and report emerging conclusions back to the Cabinet Office in April 2015.
Mark Brown, executive director, Cyber Security and Resilience at EY said this announcement demonstrates the level of importance being placed by the UK government on cyber security. "Many firms are now focussing on how they protect against the consequential financial impacts of a cyber incident and are turning to insurance as a mechanism to alleviate risk," he said. “However, whilst insurance offers financial protection to businesses, it does not incentivise businesses to invest in enhancing their cyber security defences. Consideration should be given to rewarding those businesses who can demonstrate effective cyber security through certification schemes such as...Cyber Essentials.
“Those organisations that show high levels of effective cyber security should be rewarded through options such as insurance premium reduction. This would align to steps taken by insurers offering protection against wider business interruption and ensure that such risks were being appropriately managed by businesses and not just managed through insurance coverage.”