Cyber Insurance – An Update
Following its 'Cyber Streetwise' campaign, which highlighted the particular threat to SMEs of cyber attacks, the Government has now published a report 'UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk'. The report illustrates the growing threat of cyber attacks to UK businesses and the ways in which insurance can be used to mitigate the risks.
The report cites a lack of awareness among UK businesses of dedicated cyber insurance covers that are available in the market and a lack of understanding as to whether traditional policies cover cyber risks. According to Government research, 52% of CEOs believe they have cyber cover, whereas in fact less than 10% do. The research has found that this is primarily due to a failure by insurers to communicate the value of the cover to business leaders.
The report also references 'Cyber Essentials', a guide launched in June 2014 by the Government in partnership with Lloyd's and the Association of British Insurers. The intention is that the guide will help businesses to understand and address the risks associated with cyber attacks through basic technical controls that all organisations should have in place. As a result of the launch of this guide, it is anticipated that insurers will look for a 'Cyber Essentials certification' as part of their SME cyber risk assessment.
The report also suggests that a higher level of attention should be given by UK businesses to the threat of cyber attacks instead of the current focus on data breaches and other IT issues. The UK Government's Annual Breach Report for 2014 revealed that 82% of large businesses and 60% of small businesses in the UK suffered a security breach in 2014. In response to the increasing risk of cyber attacks, larger businesses have already taken action with 88% of ftse 350 companies now including cyber risk in their strategic risk report.
Research from the report highlights the fact that SMEs are at a greater risk of data and software damage, are more prone to attack due to their higher vulnerability, and lack the back-up disaster recovery solutions of larger organisations. The Government hopes to promote 'Cyber Essentials' quickly amongst these SMEs, in order to keep up with the growing threat of cyber attacks.
One proposed solution to achieve a more consistent approach to the insurance of cyber risks suggested in the report is for insurance brokers to provide businesses with a 'statement of cyber insurance'. This would be an overview of the risks that a particular business faces and would include an identification of relevant cyber perils, a cyber gap analysis, identification of solutions for uninsured risks and a formal report of cyber assurance.
Garbhan Shanks' previous article on the threat of cyber attacks to SMEs sets out a number of factors which policyholders should bear in mind when purchasing cyber cover. These included not underestimating the true cost of an attack and negotiating the retroactive date and extended reporting period. Read the full 'Cyber "myths" putting UK SMEs at risk' article.