Outside view of RPC's transparent glass building.

UK cyber security: insure against 'rapid, highly damaging and public' threats

06 May 2015. Published by Mark Crichard, Partner

Cyber attacks present a daily threat to UK businesses and have become more destructive in recent years with data breaches and hacks frequently making front page news.

Consider the Sony Pictures hack following controversy over the film The Interview, the Kaspersky Labs $1bn cyber robbery or points stealing from British Airways' air-miles accounts. Data security has become a fundamental issue for companies and this raises the question: what can they do?

According to an Information Security Breaches Survey carried out by the UK Department for Business Innovation & Skills, in 2014 81% of large UK businesses and 60% of small companies suffered a cyber-security breach.  The Government has now announced new joint initiatives with the insurance sector to help firms manage this risk.  The Government and insurance brokers Marsh have published a report entitled 'UK cyber security: the role of insurance in managing and mitigating risk'.  This report found that whilst bigger firms have acted to secure themselves against cyber threats, these threats grow ever more prevalent as attackers become more sophisticated.

Whilst historically such matters have been confined to the IT/tech industry, companies are being encouraged to place cyber threats at the forefront of commercial risk with the potential to affect all their operations.  Companies can then carry out stress tests to identify their vulnerabilities, be it their IT infrastructure or the threat of 'phishing' through online distribution channels where personal credentials might be obtained to allow access to IT systems.

The potential damage of IP theft is already recognised by many companies but the increasing interconnectedness of day to day life through the 'Internet of Things' is of growing concern.  Reputational damage, however, remains of upmost importance to companies who face huge costs and a drop in consumer confidence if large scale hacks occur.  Such attacks can be 'rapid, highly damaging, and public potentially leading to a vicious cycle of declining investor and customer confidence and therefore cash availability’ according to the report.  As such, companies need to respond appropriately.

The report highlights the lack of awareness of the availability of insurance in this sector and points out that less than 10% of companies have cyber security insurance.  

One initiative that the Government has already backed is Cyber Essentials, an industry supported scheme that helps organisations protect themselves against common cyber attacks.  It provides guidance on the basic controls that all organisations should have in place such as boundary firewalls, internet gateways and access control.  Companies can then use Cyber Essentials Certification as evidence of the security protection they have in place. 

Further recommendations for businesses are highlighted in the report.  A key initiative is that Marsh will launch a new cyber insurance product for SMEs which will cover the cost of Cyber Essentials certification.  Whilst this kitemark system is a good step towards ensuring a basic level of security, businesses should not neglect the fact that cyber threats are an ever-evolving risk that require constant attention and frequent security updates.  

Secondly, the insurance industry should help establish cyber insurance as an essential part of a business's tool-kit.  Better guidance and discussion will be a key part of informing businesses and enabling accurate assessment of this specific type of risk.  The Government hopes that by establishing a standard, insurance companies can better write risk and premium prices will come down.  However, both clients and brokers should carefully consider the types of policies applicable and the exclusions within them. 

As for insurance coverage, London has a reputation for leading on large-scale complex risks that are challenging to underwrite locally. 

Recommendations for the London insurance industry include writing clear statements in policies and reassuring businesses that cyber risk is covered.  By tackling cyber risk head on, the UK wants to become the hub of the cyber insurance market.  There is no doubt that cyber risk is going to continue growing in importance; the challenge will be staying ahead of the game in the context of rapidly advancing technology.