The government has outlined its support for growth in the cyber insurance market (2-page / 145KB PDF) in a new joint statement issued with industry stakeholders.
"Insurers providing cyber breach and wider operational risk cover can play an integral role in driving improvements in cyber security risk management," the statement said. "By asking the right questions and helping customers, insurers and insurance brokers can help promote the adoption of good practice, including Cyber Essentials, that reduce the frequency and cost of breaches."
"Not only can cyber insurance help businesses to meet the costs of a security breach event, but it can also provide front end risk analysis to gauge the organisation’s exposure to cyber risk, and deliver rapid incident response services that are critical to minimising the impact of a breach. Cyber insurance does not, of course, remove the need for businesses to manage their risk from cyber attack. It should be seen as part of a holistic approach to cyber risk management including business controls, investment in security and education of staff and customers," it said.
According to the statement, an insurance industry working group will be established and tasked with looking into how to "use insurance as a driver for improving cyber security practice in UK businesses" and within the SME community particularly.
Other similar working groups will look into how best to "model the impact of cyber attack scenarios on UK businesses and the insurance response; and explore the possible role for the insurance industry in reducing the impact of cyber attack on critical national infrastructure", the statement said. All the groups will report conclusions to the Cabinet Office by April 2015.
At a cyber security roundtable event attended by Out-Law.com earlier this year, former head of payment security at Barclaycard, Neira Jones, said there was a "blatant lack of supply chain due diligence" on the issue of cyber security. Panelists agreed that there is a "disconnect" from the SME community with the cyber security agenda and the need to improve security measures and practices.
Jones said that SMEs are only likely to act to improve their approach to cyber security where there are "commercial imperatives" to do so. Mandating better standards through regulation alone will not have the desired effect, she said.
"In the commercial world it will always come down to how much it costs, 'when do I have to do it by' and 'what else will suffer if I do do it'," Jones said. "Compliance is absolutely necessary but it is how it is deployed," Jones said. "It is for organisations to understand their risk and what the consequences are [of failing to comply]."
In a recent report, the Institute for Chartered Accountants in England and Wales (ICAEW) warned that the speed at which cyber attacks are evolving is not being matched by the speed at which businesses are improving their capabilities to address cyber security risks.
The ICAEW called on businesses to "balance investment in existing preventative controls with investment in new skills and solutions in monitoring, detection and response".
In providing evidence to a parliamentary committee late last month, Hugh Boyes, cyber security lead at the Institution of Engineering and Technology (IET), said that a culture shift is needed to ensure that everyone in an organisation is responsible for cyber security and that it is "not just for the specialists" to deal with.
According to PwC's 'Global State of Information Security Survey 2015' report, cyber security incidents cost businesses $2.7 million each on average, up 34% from last year. More than half of businesses (51%) now have a cyber insurance policy, the study revealed.
Technology, media and telecoms law expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, previously said that cyber breaches are now an inevitability for businesses and that having a plan to deal with those incidents can help companies reduce their exposure to risk. Birdsey said that purchasing cyber insurance can form part of that plan.
"The price of those policies, and difficulties in interpreting what precisely they provide cover for, mean that many organisations do not currently purchase them, but the position is improving in both respects" Birdsey said. "Prices are more competitive, and insurers are increasingly tailoring products to meet customers' needs, with a greater focus on a broader range of risks which could affect a business' reputation and cause it to suffer a financial loss."
"They will not fit every organisation's needs, but many insurers offering data breach and cyber liability products also provide policyholders with access to the network of experts they would otherwise need to individually seek out and contract with for help in the management of incidents," he said.
Mark Weil, chief executive of Marsh UK & Ireland, said: "As recent network attacks and data breaches have demonstrated, cyber security events can quickly accumulate significant costs, inflict reputational damage, and undermine investor confidence. A massive data breach will invite litigation, generate regulatory fines, and instigate law enforcement investigations. Cyber attacks can even cause physical damage by manipulating control processes. Companies should be assessing their vulnerability to cyber attack and taking advantage of risk management and insurance solutions to mitigate the potential for these events to harm their business."