The UK must urgently find ways to make cyber-risk insurance cheaper and less complex for the firms that could benefit from it, a major report compiled by the Government with input from the insurance industry and business has concluded.
The Government signalled its determination to get to the bottom of what has been slowing the uptake of cyber-risk insurance last November when it set up the working group that has now published UK cyber security: the role of insurance in managing and mitigating the risk.
After re-stating the Government’s determination to make London a major world cyber-security insurance hub, the document identifies a number of problems that continue to bedevil the market’s development.
A major issue appears to be that of cost with cyber-cover roughly three times more expensive than for general liability and six times more than for property. Compounding this, insurers have adopted a flat pricing structure in which all firms are charged similar rates regardless of their underlying risk which further discourages take-up.
Conservative pricing was a problem created by a lack of historical data with which to more carefully price risk, something that could be addressed by a system for pooling data, the report concluded.
Lacking the public breach notification found in the US, UK-based insurers could in future benefit from data held in the Cyber Security Information Sharing Partnership (CiSP), it suggested.
The report was less clear about whether a government 'backstop' would be needed to limit the sort of unquantifiable losses that could be suffered by insurers in worst-case scenarios, suggesting that there was “no conclusive evidence of the need for such a solution at present.”
The report recommends that government and the insurance industry set up a forum to discuss the sort of detail needed to resolve such issues.
“The UK’s insurance market is world renowned and we want it to be the same in relation to cyber risks. The market has extensive knowledge and experience of more established risks to help businesses manage and mitigate relatively new cyber risks,” said Minister for the Cabinet Office, Francis Maude.
“Insurance is not a substitute for good cyber security but is an important addition to a company’s overall risk management. Insurers can help guide and incentivise significant improvements in cyber security practice across industry by asking the right questions of their customers on how they handle cyber threats.”
Companies still under-estimated the downsides of cyber-risk in a way they wouldn’t do for established risks. They also over-estimated the extent to which their current insurance covered them, he said.
London currently attracts £160 million of cyber-insurance business, a trifling sum next to the market as a whole. The Government believes this could easily be tripled, boosted later this year and next by the expected approval of the EU General Data Protection Regulation (GDPR).
A separate strand of the report deals with the Government’s efforts to get insurers to use certification by SMEs conducted under its Cyber Essentials scheme as part of insurance risk assessments.
Launched last summer, Cyber Essentials is a two-level kitemark system in which small firms undertake a security assessment by approved firms as a way of demonstrating a basic level of competence. The Government talks up the scheme as a good thing but has also said that in time it could become mandatory for firms wanting to do business with the Government’s supply chain.
As hoped, the report underlines that insurers too will now use Cyber Essentials as a mechanism for rational pricing of risk. This is the sort of virtuous circle the Government has been trying to encourage all along – more firms achieving certification lowers premiums or expands cover which in turn expands the cyber-insurance industry. Firms also have an incentive to improve security to achieve certification.
The Government sees insurance as a major component for the country to manage future risks in an economically viable way but tensions remain. The insurance industry is wary of becoming a cog in the wheel of digital policy.
“It is good to see the Government working with the insurance industry to put in place measures to protect businesses against the growing risk of cyber-attacks," said Shaun Crawford, Global Head of Insurance for EY (formerly Ernst & Young).
"However, the burden should not lie solely at the feet of insurers, and the security industry as a whole should be involved. Cyber risk is different to any other type of insurable risk because it is much more dynamic in nature, so whilst insurers have the experience of managing risk, the traditional approach and methodology cannot be applied," he said.
"Although a major part of the shield against attacks, cyber insurance alone is not a silver bullet.”