Last year, 81% of large UK businesses and 60% of smaller companies suffered a cyber security breach. Now, a detailed report published on 23 March by Her Majesty’s Government and Marsh – one of the UK’s leading insurance brokers and risk advisors – announces new joint initiatives between Government and the insurance sector designed to help firms get to grips with cyber risk, establish cyber insurance as part of their cyber toolkits and cement London as the global centre for cyber risk management.
The report (entitled ‘UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk’) has been produced in collaboration with the UK’s insurance market and a number of top UK companies. It aims to make the UK a world centre for cyber security insurance.
In particular, this document highlights the exposure of firms to cyber attacks among their suppliers with a key agreement that participating insurers will include the Government’s Cyber Essentials certification as part of their risk assessment for small and medium-sized organisations.
Cyber threats are estimated to cost the UK economy billions of pounds each year, with the cost of cyber attacks nearly doubling between 2013 and 2014. The report finds that, while larger firms have taken some steps towards making themselves more ‘cyber secure’, they face an escalating threat as they become more reliant on online distribution channels and attackers grow more sophisticated.
The new report issues a ‘Call to Arms’ for insurers and insurance brokers to both simplify and raise awareness of their cyber insurance offering and ensure that firms understand the extent of their coverage against cyber attack.
Companies are recommended to stop viewing cyber largely as an IT issue and instead focus on it as a key commercial risk affecting all parts of their operations.
The product of determined collaboration between Government and the insurance sector following a summit held last November, the report recommends that firms examine the different forms of cyber attacks they face, stress-test themselves against them and put in place business-wide recovery plans.
The report also notes a significant gap in awareness around the use of insurance, with half of all those firms interviewed being unaware that insurance was available for cyber risk.
Other surveys suggest that, despite growing concern among UK companies about the threat of cyber attacks, less than 10% of UK organisations have cyber insurance protection in place even though 52% of CEOs believe that their companies harbour some form of coverage.
Comment from the Government and the insurance world
Francis Maude, Minister for the Cabinet Office and Paymaster General, said: “It’s part of this Government’s long-term economic plan to make the UK one of the safest places in the world in which to do business online. The UK’s insurance market is world renowned, and we want that situation to be the same in relation to cyber risks. The market has extensive knowledge and experience of more established risks to help businesses manage and mitigate relatively new cyber risks.”
Maude continued: “Insurance isn’t a substitute for good cyber security but it most certainly is an important addition to a company’s overall risk management procedures. Insurers can help guide and incentivise significant improvements in cyber security practice across industry by asking the right questions of their customers in terms of how they handle cyber threats.”
Mark Weil, CEO of Marsh UK & Ireland, added: “While critical infrastructures in regulated sectors such as banking and the utilities will be well used to this kind of risk, it’s very much the case that most firms are not and their risk management practices are geared around lower-level, slower moving risks. Companies will need to upgrade their risk management regimes quite substantially in order to cope with the growing threat of cyber attack, including introducing disciplines such as stress-testing and creating joined-up recovery plans that bring together financial, operational and reputational responses.”
Ross McEwan, CEO at the Royal Bank of Scotland (RBS) Group, stated: “Cyber security and the importance of managing cyber risk as a general business risk is something we take very seriously indeed. At RBS, we have an ambition to be a bank that supports small businesses and helps them to grow. We see this growth going hand-in-hand with strong and resilient companies, both large and small in scale. We’re delighted to back this report and encourage further effort from industry and Government alike to help SMEs stay strong in today’s digital world.”
Key findings from the report
*Insurers can help firms better manage their cyber risks. By asking the right questions and educating clients, insurers may assist in driving the adoption of cyber security Best Practice (including Cyber Essentials)
*The UK’s insurance sector is already a world-leader. With initiatives such as this the sector is demonstrating that the UK is the natural home for a growing global cyber insurance market
*Insurers’ support shows the success of the Cyber Essentials scheme. They recognise having Cyber Essentials certification is a valuable indicator of a mature approach to cyber security in SMEs and one that actively contributes to the reduction of risk
*The contributing insurers will incorporate Cyber Essentials within their risk assessment process for SMEs, in turn making it easier for firms to access the right coverage
*Firms place cyber among their leading risks in terms of likelihood and severity of impact
*Banks and national infrastructure organisations are generally better equipped in modelling cyber risks which can be very fast-moving and damaging, whereas most other businesses are not as well-equipped to deal with this type of ‘tail risk’
*Modelling of cyber risk has been difficult due to a lack of available data. However, there are alternative approaches to valuing the risk of cyber attack (including the use of stress-testing)
*There’s a lack of awareness around cyber insurance and certainty about coverage. According to recent surveys, less than 10% of companies have cyber insurance in place
*A lack of data pooling poses a challenge for insurers in relation to the development of their pricing models and coverage
*Potential for the aggregation of losses impacting a large number of firms and arising from a single attack – in turn leading to losses across a large number of firms – is a growing concern for insurers
*The UK insurance market has a history of underwriting large complex risks and is established as a leading market in the provision of cyber insurance
Recommendations for insurers and Government, businesses, insurance brokers and the market
For insurers and Government:
*Participating insurers will include the Cyber Essentials certification as part of their cyber risk assessment for SMEs when backed by a suitable insurance policy in order to improve their supply chain resilience. This will simplify the application process for businesses
*A new Forum will be established by Government with the co-operation of the insurance sector (including the ABI and Lloyds). It’s focus will be on data and insight exchange for policy discussions
*Firms should review their management of cyber risk. Effective risk management needs to include a Board-level owner for cyber risk, a joined-up recovery plan and the use of stress-testing to confirm financial resilience against cyber threats
For insurance brokers:
*Participating insurers will include Cyber Essentials accreditation as part of their risk assessment for SMEs to encourage greater adoption. Marsh will launch a new cyber insurance product for SMEs which will absorb the cost of Cyber Essentials certification for the majority of firms. The Government encourages other brokers to follow suit
*Brokers should provide companies with a cyber assurance statement to give the Board confidence of their comprehensive cover
For the market:
*Lloyds of London will work with UK Trade & Investment to market the cyber capabilities of London’s insurance market on the global stage
*A new multi-disciplinary task force will be established by CityUK and aim to bring together different sectors in order to discuss a joint UK cyber offering related to insurance for export