On 5 November, Francis Maude, Minister for the Cabinet Office with responsibility for the UK Cyber Security Strategy, co-hosted a summit of CEOs from the UK’s insurance sector in conjunction with Marsh, the insurance broker and risk adviser, to discuss how the sector can help ensure that the UK is one of the safest places to do business in cyberspace.
Today’s event is the first of its kind and marks closer collaboration between government and industry to help promote the growth of the cyber insurance market as a means of improving cyber security risk management. The insurance sector is in a strong position to drive improvements in cyber security risk management. The sector recognises the role it can play in improving good practice by asking the right questions of customers in relation to their cyber breach and operational risk policies.
Cyber threats pose a considerable risk to UK companies and industry is by far the biggest victim of cyber crime. 81% of large businesses and 60% of small businesses suffered a breach in the last year with the average cost of breaches to business nearly doubling since last year (see the 2014 Information Security Breaches Survey).
Minister for Cabinet Office, Francis Maude said:
Protecting the cyber security of UK businesses is an important part of this government’s long-term economic plan – we want the UK to be one of the most secure places in the world to do business. We want to support the growth of a cyber insurance market in the UK so we are very pleased to come together with the UK’s world-renowned insurance sector. Cyber insurance does not replace the need for good cyber security practice but is an added protection for businesses in the event of breaches.
Mark Weil, CEO of Marsh UK & Ireland, said:
As recent network attacks and data breaches have demonstrated, cyber security events can quickly accumulate significant costs, inflict reputational damage, and undermine investor confidence. A massive data breach will invite litigation, generate regulatory fines, and instigate law enforcement investigations. Cyber attacks can even cause physical damage by manipulating control processes. Companies should be assessing their vulnerability to cyber attack and taking advantage of risk management and insurance solutions to mitigate the potential for these events to harm their business.
John Hurrell, CEO of Airmic, the UK association for risk managers and insurance buyers, said:
Cyber risk is an enormous challenge which cuts across a wide range of stakeholders and this initiative correctly recognises the need for a coordinated effort to improve the management of cyber risk in business. Airmic very much welcomes closer engagement between the government and the insurance industry, and believes the insurance industry has a critical role to play in improving awareness and informing the debate. We hope that this will in turn foster closer working relationships between other key players, including between IT and risk functions within organisations.
A dozen of the UK’s leading insurers met with the Minister and Cabinet Office, UK Trade & Investment, Department for Business, Innovation & Skills and GCHQ officials to discuss the issue and agree a joint statement. It:
- highlights the risk to UK business posed by cyber attack
- recognises the role insurers can play in driving improvements in cyber security risk management
- commits industry and government to closer working to develop the UK’s cyber insurance market for this purpose
- supports the growth of a cyber insurance market in the UK
- announces the establishment of working groups to focus on key issues and report emerging conclusions back to the Cabinet Office in April 2015
This latest initiative builds on government’s ongoing partnership with industry under the National Cyber Security Programme (NCSP) to ensure that UK businesses have better cyber security protections in place. Guidance such as the 10 steps to cyber security for businesses and the Cyber Essentials scheme provide clear practical advice on what cyber security controls organisations should have in place. Today’s joint statement also recognises that the government and industry supported Cyber Essentials scheme helps businesses protect against the most common cyber threats.
Notes to editors
1) The National Cyber Security Strategy (NCSS), published in November 2011, provided government with a framework and objectives in tackling cyber threats, promoting awareness and providing a growing platform of strong private sector partnership. The strategy is supported by £860 million of funding from the National Cyber Security Programme which has helped put in place new initiatives and structures as part of the government’s response to growing threats in cyberspace.
2) In December 2013, government published the second annual report on progress against the strategy, achievements and spend on the NCSP as well as forward plans.
3) The NCSS has 4 objectives:
- to make the UK one of the most secure places in the world to do business in cyberspace
- to make the UK more resilient to cyber attack and better able to protect our interests in cyberspace
- to help shape an open, vibrant and stable cyberspace that supports open societies
- to build the UK’s cyber security knowledge, skills and capability
The NCSS sets out how the UK will support economic prosperity, protect national security and safeguard the public’s way of life by building a more trusted and resilient digital environment. It makes clear how the investment through the National Cyber Security Programme is being used and which departments are responsible for which actions, and it outlines how the government will take the opportunity to promote growth and minimise the economic impact of cyber attacks by cementing a new partnership with the private sector.
4) The £860 million programme funding provides backing for work to improve the UK’s cyber security capability but government can’t do this alone. Our whole approach hinges on building effective partnerships between government, law enforcement agencies, academia and the private sector. We’re also encouraging organisations within these spheres to work in partnership with each other.
5) The Cyber Essentials scheme was launched on 5 June 2014. This new government-backed and industry supported scheme guides businesses in protecting themselves against the most common cyber threats. Cyber Essentials is free to download and any organisation can use the guidance to implement essential security controls. Organisations successfully independently assessed by a certification body can achieve a Cyber Essentials award to demonstrate that they meet the government endorsed set of basic controls on cyber security.
6) The 10 steps to cyber security was published in 2012 and amalgamates advice from the security services and government departments to provide senior business leaders with guidance on cyber security best practice.