Earlier this week, Francis Maude (the UK Minister for the Cabinet Office who is responsible for the UK Cyber Security Strategy) published a report called, ‘UK cyber security: the role of insurance in managing and mitigating the risk’ which explores how cyber security insurance can help firms manage their cyber risks better.
The three points that Maude addresses in the report are:
- The effect that cyber risk has on firms
- The establishment of cyber insurance as part of a firm’s basic tools
- The UK to be global centre for cyber risk management
Maude states how a breach in cyber security can cause a haemorrhaging of cash flow, loss of intellectual property and customer details could be leaked online.
The report reveals that a lack of knowledge about cyber threats could lead to losses caused by cyber failure and companies are not fully aware of how well they could be protected from threats by cyber security insurance.
Maude’s objective is to improve how businesses utilise insurance and further improve the government’s record on cyber security, which is built around an £860m strategy intended to find new ways of managing risk.
In the report Maude says it is “part of this government’s long-term economic plan to make the UK one of the safest places in the world to do business online. The UK’s insurance market is world renowned and we want it to be the same in relation to cyber risks.” Maude also believes that insurance “is not a substitute for good cyber security but is an important addition to a company’s overall risk management.”
According to the Financial Times (FT), business CEOs need to be educated about the importance of insurance as usually, high-end software would be purchased but it is more beneficial and cheaper to have a better password policy or to stop easily breached USB ports from working properly.
Mark Weil, CEO of Marsh UK and Ireland added in the report that while “critical infrastructure in regulated sectors, such as banks and utility firms, are used to this kind of risk, most firms are not and their risk management practices are geared around lower-level, slower moving risks. Companies will need to upgrade their risk management substantially to cope with the growing threat of cyber attack.”
Another problem organisations have is their inability to inform insurance companies about their losses, meaning the customers who are more careful with their money cannot be told apart from customers that are more careless, which has caused insurance premiums to rocket in price to sometimes six times higher than property insurance.
The report states that 81% of large businesses and 60% of small businesses suffered from a security breach in 2014 and the average cost to the company has doubled since 2013 to billions of pounds. Last year, Sony’s email server was successfully hacked which led to the resignation of the CEO and large companies such as Apple, JPMorgan and Target were also affected.
According to the FT, insurance companies should encourage more prudent behaviour, but not punish businesses for losses that are unavoidable as there has not been enough opportunity for them to fully understand their technology and therefore, control their cyber threats.
Maude encourages insurers to help companies manage cyber risk by educating clients about the importance of cyber security insurance, but also presents the idea that the UK would be a natural home for the cyber insurance market as it is the world leader for the insurance industry.