The Cabinet office policy paper “UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk” was launched on 23 March 2015 as the government looks to raise awareness of cyber risks and the fly the flag for the UK insurance sector’s expertise in addressing that risk.
This paper follows the ‘Cyber Essentials‘ initiative, which provided guidelines for best practice and a two-tier accreditation for organisations fulfilling the scheme’s requirements. The London market already writes more than 10% of global cyber insurance, the majority coming from the US, representing around £160m in premiums. The government, in partnership with the London market, wants to build on these foundations.
According to the FBI there are two kinds of companies: those that have been hacked, and those that will be. It is clear that helping businesses manage and mitigate relatively new cyber risks is becoming ever more a priority. There have been numerous high-profile cyber incidents in the press, but smaller businesses are also becoming aware of the threats. Indeed, estimates put the average cost of a data breach in the UK in 2014 in excess of £2 million.
It is not just the high profile hacking cases that has companies keen to get coverage. New UK data protection law will include strict penalties for companies that are hacked. The General Data Protection Regulation from the European Commission will also require companies to notify their stakeholders about data breaches, and increases the fines that can be imposed by national data protection regulators. Changing legislation and a growing number of high profile attacks are both driving demand for indemnity solutions.
The government has set out to make London the centre of cyber insurance and risk management in launching their report “UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk“.
It is hoped that the London insurance market can:
- increase its share of the US data-breach market
- expand cyber cover to other forms of loss from cyber attacks
- promote the London market around the world, notably in Europe which is expected to respond to EU legislation on data breaches
The recommendations contained in the UK Cyber Security report include:
- Lloyd’s, the ABI and the government are to publish a guide on cyber insurance
- Policies should now including clear statements assuring policyholders that they are covered for cyber risks
- The government’s Cyber Essentials certification should be included as part of the risk assessment for cyber insurance
- Launching a forum to share data on cyber risks
- Lloyd’s and UKTI will promote the cyber capabilities of the London insurance market to key countries
The second recommendation above is critical. The government has recognised what the industry has been talking about for some time – at present, policyholders often find themselves in a netherworld – unsure as to whether their existing cover includes cyber risk or whether they need to purchase separate, stand-alone cyber insurance. This drive for certainty of cover, by way of clear statements in policies assuring policyholders that they are covered for cyber risks should be an absolute priority.
In the meantime, the insurance sector itself is champing at the bit to market its capabilities and expertise in this area to the rest of the world. As always, with risk comes opportunity.