Only two per cent of large companies in the UK have explicit cyber security cover, a government report has suggested.
The report, ‘UK cyber security: the role of insurance in managing and mitigating the risk’, was published by the government and insurance broker Marsh, and was produced in collaboration with the UK’s insurance market and various top UK companies.
It found that last year 81 per cent of large businesses and 60 per cent of small companies suffered a cyber security breach. It suggested that cyber insurance could help companies to manage the growing number of cyber attacks – with the cost of such attacks nearly doubling between 2013 and 2014.
But the report notes a lack of awareness around the use of insurance, with around half of firms interviewed being unaware that insurance was available for cyber risk. Just two per cent of large firms have explicit cyber cover, and this figure drops close to zero for smaller firms, the report states.
Cabinet Office minister Francis Maude said that insurance was “not a substitute for good cyber security”, but added that it was an “important addition to a company’s overall risk management”.
“Insurers can help guide and incentivise significant improvements in cyber security practice across industry by asking the right questions of their customers on how they handle cyber threats,” he said.Now, companies such as RBS are coming together with the government to further the development of cyber risk insurance in a bid to establish London as the global centre for cyber risk management. One initiative stemming from the report is that participating insurers will include the government’s Cyber Essentials certification, as part of a thorough risk assessment for SMEs.
But is it really necessary for companies to purchase cyber risk insurance?
Last year, Jamie Bouloux, head of cyber products and liability at insurer AIG, explained that demand for cyber insurance, already high in the US, was starting to grow in Europe.Ian Birdsey, senior associate at law firm Pinsent Masons, explained that the UK cyber insurance market is now “well developed”, with a number of markets offering some sophisticated risk transfer products.
Bouloux had dismissed the notion that organisations that take out cyber insurance will use it as an excuse to relax their internal data governance, stating that companies are more likely to raise cyber security awareness in the workplace and offer training to staff because it affects the pricing of the insurance policy.
Stephen Bonner, a partner at professional services firm KPMG, likened companies buying cyber insurance to individuals purchasing travel insurance.
“It’s like the type of travellers that go on holiday with an expensive camera and valuables and ensure that they are insured, while those who need it more when they go on a skiing holiday or a stag do are probably the ones who would get the most benefit of getting insurance but don’t,” he said.
According to Rob Norris, director of enterprise and cyber security in UK & Ireland at Fujitsu, the development of the cyber insurance market would be a welcome boost to all sectors.
“With cyber threats showing no signs of stopping it is vital that the wider industry continues with its focus on coming together to help businesses by offering services such as cyber insurance,” he said.
However, companies need to check the small print of any insurance policy offered. Richard Cumbley, a partner at Linklaters, suggested that some clients have found the exclusions in these policies make them virtually useless.
“In the EU the premiums may be outweighing the losses recovered,” he said.
Bouloux said that insurance costs can vary quite significantly for different types of companies. He said the “run-of-the-mill risk model” is worth £100,000 in indemnification for an annual premium of £400. However, he added that in some cases premiums can amount to hundreds of thousands of pounds.
Click here to read the full Computing feature on cyber insurance: ‘Darting for cover: the pros and cons of cyber insurance’.