The UK government has released a major new report designed to highlight the role insurance and insurers can play in reducing cybersecurity risk
The report, UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk, was produced after lengthy consultation with the insurance industry and looks at several key aspects.
It points out that insurance can add a “valuable perspective” to cyber risk because the promise of a lower premium could encourage firms to take concrete steps to improve their defenses and therefore reduce that risk.
It also claims that insurers could help firms by providing “insight from claims and near misses across their client base” – valuable information given many incidents go unreported.
Finally, the report says that insurers can bring to bear many transferable areas of expertise, such as managing the risk of business interruption.
Also included are concrete recommendations designed to help firms get to grips with cyber risk; to help insurers establish cyber insurance as part of firm’s “cyber tool-kits”; and to promote London as a global center for the industry.
It recommends insurers include Cyber Essentials accreditations as part of their risk assessment for SMEs, in order to encourage adoption of the security assessment framework.
The government also claimed it would produce a guide on cyber insurance in partnership with Lloyd’s and the Association of British Insurers (ABI), as well as establish a forum for “data and insight exchange and for policy discussions.”
Ollie Whitehouse, technical director at security consultancy NCC group, argued that encouraging companies to adopt cyber insurance would help drive up security standards.
“As the report states, the UK already has a ready-made solution to this problem in the form of Cyber Essentials, which is a set of achievable security benchmarks set out by the government,” he explained to Infosecurity.
“Businesses on the ground would benefit from more formal relationships between security firms and insurers, so that when they achieve Cyber Essentials certification they are automatically offered affordable insurance too.”
Shaun Crawford, global head of insurance for Ernst & Young, welcomed the new report and the government’s efforts to help firms better protect themselves from cyber-attack – but warned cyber insurance is not a silver bullet.
“The burden should not lie solely at the feet of insurers, and the security industry as a whole should be involved,” he added.
“Cyber risk is different to any other type of insurable risk because it is much more dynamic in nature, so whilst insurers have the experience of managing risk, the traditional approach and methodology cannot be applied.”