Developing awareness of cyber insurance and providing practical guidance on mitigating cyber risk are to be the two lines of focus for a new working group.

At the inaugural meeting of the Cyber Risk Insurance Forum (CRIF), the aim was to develop a framework of recommended information security practices and policies to support the uptake of cyber insurance, protecting insurers and businesses alike.

Established by NCC Group and formerly known as the Cyber Insurance Working Group, the CRIF has been established to develop a security framework for companies taking out cyber insurance, and it has now grown to include Liberty International Underwriters (LIU), Zurich Insurance, CNA Europe and Oval, as well Thales, Continuity Forum, ACE Insurance and Hill & Knowlton.

CRIF is also highlighting that it is often smaller businesses that are the most vulnerable. It said that without access to the vast security budgets or the dedicated personnel available to global enterprises, they may be an easier target for the emerging sophisticated cyber criminals.

Janet Williams, the lead on cyber crime for the Association of Chief Police Officers, has proposed the introduction of a ‘kitemark' security standard that companies seeking cover against cyber attacks may be encouraged to meet. ENISA has also called on the cyber insurance market to help improve the standards of information security being adopted, while RBS/NatWest hit the headlines when it announced that it would set aside £125 million to cover the costs of the IT failure it recently suffered.

CRIF chairman Daljitt Barn said: “Cyber insurance doesn't mitigate the risk of suffering a cyber attack in itself, but if combined with cyber risk best practice, it will. Driving development of those guidelines depends on making organisations aware of the risks that they face.”

Matthew Hogg of LIU said: “We realise from our discussions with industry that a two-pronged attack is necessary to drive our campaign forward. The Cabinet Office reckons that cyber crime costs the UK economy £27 billion a year, so it's clearly a major threat, but too many businesses still don't appreciate fully how this affects them, or what steps they can take to help make themselves safer.

“They need guidelines commensurate with the size of the organisations and their risk exposure in their given vertical, along with awareness-raising of cyber risk and insurance.”