On 5 June a new government initiative went live aimed at encouraging businesses to protect themselves from the ever-growing risks of cybercrime. This new initiative named “Cyber Essentials” aims to fulfil two key functions: firstly, it provides a clear statement on the steps that should be taken by businesses to mitigate the risk of cybercrime; and secondly, it provides businesses a way in which they can demonstrate to consumers, insurers and others that they have taken the necessary precautions.
Until now there has been no universally accepted certificate of compliance with regards to cyber protection and so this government initiative will be a first. Cyber Essentials allows companies to become certified on either a standard (Cyber Essentials) or enhanced (Cyber Essentials Plus) level through its Assurance Framework creating a cyber-security standard across all business that has been lacking.
The implementation of the Cyber Essentials initiative will be of particular interest and importance to the insurance industry as demonstrated by AIG, Marsh, Swiss Re and the International Underwriting Association (IUA) who have all backed the initiative’s implementation. As the risk of cybercrime has increased over the last decade and the severity and frequency of attacks has increased, so has the demand for new and innovate insurance products to mitigate these risks. Demand for privacy and data protection products has never been higher as corporations come to realise the value of their data and the catastrophic consequences a serious breach could have upon their business.
Previously, in the absence of a universal assurance certificate of cyber protection, it had been difficult to assess the risk of companies seeking such protection on a level playing field. This new scheme should go some way to making this process easier and more transparent. Indeed, it is interesting to note that some insurers including AIG, are going further than backing the implementation of Cyber Essentials and have said they will offer incentives to companies seeking cyber insurance.
Cyber Essentials is a positive step in the fight against cybercrime. Cybercrime is a new threat which barely existed 20 years ago but has a propensity to continually and quickly evolve, threatening companies and their data in a variety of ways. The fight to mitigate these risks must also evolve to meet the threat. It is hoped that Cyber Essentials will limit the susceptibility of UK companies to such crimes and the liability and loss that ensues, whilst the certification provides a clear yard-stick by which insurers can assess the potential risk of potential clients seeking cyber coverage. Risk can therefore be better assessed by underwriters and pricing adjusted accordingly, protecting insurers from unnecessary risk and potential exposure.
It is however, important to note that the scheme benchmarks a minimal level of protection and so caution should still be exercised. The scheme has been devised so that the Assurance Framework setting out the certifications available has been designed to be a “light-touch” and to be “achievable at low cost”. The target of the scheme therefore appears to be SMEs, as opposed to large multinationals. Such multinationals have a greater budget to spend on cyber security, but also potentially more to lose should they fail to protect themselves. Certification does not mean that the company in question is safe from attack, nor does it mean that no further defences are required. The most sophisticated attacks can still be successful and so companies, especially those in possession of sensitive data, should be sure to implement further layers of protection and insurers should be sure to keep in mind that a certified company may still have a high level of risk.
The backing of the insurance industry and the fact that global companies such as BAE Systems, Barclays and Hewlett-Packard, notwithstanding the targeting of SMEs, have already applied for the Cyber Essentials awards suggests that overall, the insurance sector views this as a positive step to protect British business from the threat of cybercrime.