Government bangs the drum for UK cyber-insurance

The British government has teamed up with the Royal Bank of Scotland and insurance broker Marsh to help develop the local cyber-insurance market, after its own report indicated that few businesses are covered in the event of a data breach.

Government bangs the drum for UK cyber-insurance
Government bangs the drum for UK cyber-insurance

The partnership was announced today on the back of the government and Marsh report “UK cyber security: the role of insurance in managing and mitigating the risk” which highlighted that despite UK businesses being vulnerable to data breaches, very few have cyber-insurance policy cover.

Based on input from 13 London insurers and several large companies, the report found that 98 percent of UK companies lack cyber-insurance, despite 81 percent admitting that they've suffered a breach in last 12 months.

The report added that while the London cyber-insurance market totals £160 million (US$ 238 million), more than 10 percent of the global market, policies for UK companies only account for around £20 to 25 million.

The government is subsequently trying to drive more interaction in this area with a series of joint initiatives with the private sector. Cabinet Office minister Francis Maude hosted an event today at the Cabinet Office for chairman and senior executives of insurers and top UK companies on the role of insurance in managing growing cyber-threats, while Marsh CEO Mark Weil has requested a copy of the report to be sent out to board members and risk managers at FTSE 250 companies.

The government is requiring all participating insurers to include the Cyber Essentials certificate as part of their cyber-risk assessment for SMEs, when backed by a suitable insurance policy in order to improve their supply chain resilience. Marsh will launch a new cyber insurance product for SMEs which will absorb the cost of Cyber Essentials certification for the majority of firms, and the government encourages other brokers to follow suit.

Lloyds, meanwhile, will work with  the UK department of Trade & Investment to market the cyber-capabilities of the London insurance market globally.

Francis Maude, Minister for the Cabinet Office and Paymaster General said on the announcement: “It is part of this government's long-term economic plan to make the UK one of the safest places in the world to do business onlin,” adding: “The UK's insurance market is world renowned and we want it to be the same in relation to cyber-risks. The market has extensive knowledge and experience of more established risks to help businesses manage and mitigate relatively new cyber-risks.

“Insurance is not a substitute for good cyber-security but is an important addition to a company's overall risk management. Insurers can help guide and incentivise significant improvements in cyber-security practice across industry by asking the right questions of their customers on how they handle cyber threats.”

Mark Weil, CEO of Marsh UK & Ireland, added in a statement: “While critical infrastructure in regulated sectors, such as banks and utility firms, are used to this kind of risk, most firms are not and their risk management practices are geared around lower-level, slower moving risks. Companies will need to upgrade their risk management substantially to cope with the growing threat of cyber-attack, including introducing disciplines such as stress-testing, and creating a joined-up recovery plan that brings together financial, operational, and reputational responses.”

Speaking to SCMagazineUK.com afterwards, Ian Birdsey, senior associate at Pinsent Masons LLP, said that UK firms are horribly unprepared to respond to data breaches.

“The report highlights a number of interesting points including the fact that there is a mismatch in terms of UK business' cyber-exposures and their preparedness for a cyber-security breach. This is reflected in the relatively low uptake to date in cyber-insurance policies. Such policies not only offer an indemnity to businesses but, crucially, typically provides access to a panel of experts at preferential rates in the event of an insured event. Just as important is how a business prepares for a breach.

“Notwithstanding a slow-start, the UK cyber-insurance market is well developed with a number of markets offering some sophisticated risk transfer products. In relation to calls for a taxpayer-backed fund to compensate companies hit by cyber-attacks, this would be premature when there is still a lot of unused capacity in the insurance market. There is a developing acceptance that it is a question of when, rather than if, a business will be breached.”

Rob Norris, director of enterprise and cyber-security in UK & Ireland at Fujitsu, said that the announcement was ‘welcome news'.

“With cyber threat's showing no signs of stopping it is vital that the wider industry continues with its focus on coming together to help businesses by offering services such as cyber-insurance,” he told SC. “However, the onus is also on businesses to remain secure. In order for businesses to do this they must first be aware of the risks which will most affect their business and then prepare themselves for a potential breach. Once aware of the overarching risks in the landscape they next need to focus on the threat that is relevant to them, remain vigilant in trying to spot any threats or breaches being responsive in the event of such a breach, either responding to it directly or with the help of a specialist third-party provider.  Preparing for incidents and events will help businesses to remain competitive.

This news comes at a time where cyber-insurance premiums fluctuate wildly, with this coverage typically some six times more expensive than property cover. Indeed, one source told SCMagazineUK.com that some premiums rose by as much as 35 percent in the days after the Anthem hack, despite the claimant having no other change in circumstances.