New joint initiatives between Government and the insurance sector have been announced to help firms get to grips with cyber risk and insurance.
Announced by the Government and Marsh, a major insurance brokers and risk advisor, is seeking t0 make cyber insurance a part of firms’ cyber toolkits and cement London as the global centre for cyber risk management.
According to a report, the UK could become a world centre for cyber security insurance. The report notes a significant gap in awareness around the use of insurance, with around half of firms interviewed being unaware that insurance was available for cyber risk.
Francis Maude, Minister for the Cabinet Office with responsibility for the UK Cyber Security Strategy, said: “It is part of this Government’s long-term economic plan to make the UK one of the safest places in the world to do business online. The UK’s insurance market is world renowned and we want it to be the same in relation to cyber risks. The market has extensive knowledge and experience of more established risks to help businesses manage and mitigate relatively new cyber risks.
“Insurance is not a substitute for good cyber security but is an important addition to a company’s overall risk management. Insurers can help guide and incentivise significant improvements in cyber security practice across industry by asking the right questions of their customers on how they handle cyber threats.”
As part of the proposal, participating insurers will include the Cyber Essentials certification as part of their cyber risk assessment for SMEs when backed by a suitable insurance policy in order to improve their supply chain resilience.
Also, a new forum will be established by Government with the insurance sector, including the ABI and Lloyds, on data and insight exchange for policy discussions. The report recommends businesses review their management of cyber risk to ensure there is a joined-up recovery plan and the use of stress testing to confirm financial resilience against cyber threats.
Shaun Crawford, global head of insurance for EY, welcomed the move, but said that the burden should not lie solely at the feet of insurers, and the security industry as a whole should be involved.
“Cyber risk is different to any other type of insurable risk because it is much more dynamic in nature, so whilst insurers have the experience of managing risk, the traditional approach and methodology cannot be applied,” he said. “Although a major part of the shield against attacks, cyber insurance alone is not a silver bullet.”
Sian John, chief security strategist EMEA at Symantec, said: “We can no longer act as though a data breach might happen, it’s a case of when it will occur. With the number of breaches growing every year and over 500 million identities exposed last year alone, traditional defences are failing to protect us from attackers in today’s data-rich business world.
“Whilst it’s undoubtedly positive to see the UK Government placing cyber security high on the agenda, it’s essential that businesses don’t rely purely on having a cyber insurance policy to fall back on. Businesses should instead look to take a risk-based approach to cyber security. Insurance is one important element, but to make the best use of it, it’s necessary to understand a business’ potential exposure to attack. The business can then take an informed approach to protecting, detecting and responding to cyber attacks, using insurance where appropriate.”