The report on the role of insurance in managing and mitigating cyber risk (32-page / 2.78MB PDF) highlighted a discrepancy between the cover that chief executives believe their companies have for cyber risk and the reality of the insurance protection their businesses have purchased.
"Business leaders who are aware of insurance solutions for cyber tend to overestimate the extent to which they are covered," the report said. "Surveys show that 52% of CEOs believe that they have cover, whereas in fact less than 10% do. This picture is likely a result of the complexity of insurance policies with respect to cyber, with cyber sometimes included, sometimes excluded, and sometimes covered as part of an add-on policy."
Insurers can help address the discrepancy by "treating cyber risk more consistently", the report said. There are 11 types of damage that a business can experience as a result of a cyber attack, but there is a "current focus" on data breach risks and cyber insurance products do not always protect companies from other cyber risks such as business interruption, damage to property, and theft of intellectual property, it said.
According to the report, just 2% of large businesses in the UK have "explicit cyber cover" and approximately half of the businesses the government liaised with for the report said they were not aware "that cyber risks can even be insured".
The report also outlined the challenge businesses and insurers face in placing a value on cyber risks and identified "an urgent need" for the insurance industry to "address the size of aggregate [cyber] risk being built up, and how to handle it". The government said, though, that it would not move to underwrite the cost of cyber cover offered by insurers at this time.
"While some market participants have suggested that a possible government backstop may be necessary, there is no conclusive evidence of the need for such a solution at present," the report said.
Cyber liability specialist Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said it would be "premature" for a taxpayer-backed fund to be set up to compensate companies hit by cyber attacks. This is because "there is still a lot of unused capacity in the insurance market", he said.
Birdsey said the low uptake to date of cyber insurance policies by UK companies is reflective of the report's finding of a mismatch of UK business’ cyber exposures and their preparedness for a cyber security breach.
"Notwithstanding a slow-start, the UK cyber insurance market is well developed with a number of markets offering some sophisticated risk transfer products," Birdsey said. "There is a developing acceptance that it is a question of when, rather than if, a business will be breached. The recent examples in the US show that senior management teams within those businesses will be judged on how well they prepare, and how they manage, such events when they occur."
A court in the US last week gave preliminary approval to a $10 million settlement to be paid by US retail giant Target to consumers who had taken legal action against the company after a cyber attack exposed their personal data to potential fraudsters, according to a New York Times report.
"Cyber insurance policies not only offer an indemnity to businesses but, crucially, typically provides access to a panel of experts at preferential rates in the event of an insured event," Birdsey said. "Just as important is how a business prepares for a breach."
In the new report, the government said it wants London to develop into a "global centre for cyber risk management" and outlined plans to promote London's cyber insurance capabilities. It said that changes to EU data protection laws, which look like raising the maximum potential regulatory fines businesses could be served with for a personal data breach, "is likely to" broaden the "export opportunity" for cyber insurance providers beyond the existing dominant US market.
The government has set up a Cyber Essentials initiative that allows businesses that meet certain standards on cyber security to win accreditation for their cyber resilience. Businesses hoping to win some government contracts must be accredited under the Cyber Essentials scheme.
To encourage small businesses to improve their cyber security, insurers have agreed to "include Cyber Essentials certification as part of their small and medium-sized enterprise (SME) cyber risk assessment", the new report said. Marsh has developed a cyber insurance product for SMEs that "pays for the cost of Cyber Essentials certification to reflect the risk reduction that accreditation represents", it said.