Cyber Security: the government report on the role of insurance

This article was produced by Nabarro LLP, which joined CMS on 1 May 2017.

Summary and Implications

The UK government recently published its report on UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk. It makes for interesting reading. Some of the facts and figures have already been widely reported: 81% of large businesses and 60% of small businesses in the UK suffered a cyber security breach of some form in 2014; the average cost of breaches has doubled since 2013; and whilst more than 60% of security breaches are the result of accidents, the majority of high-severity losses are caused by deliberate acts.

What may be new and surprising to some readers is the level of uptake of cyber insurance. Only 2% of large UK businesses and practically no small businesses have cyber insurance in place. Many may mistakenly think that the impact of a cyber security breach is covered by other insurance policies, but in fact it may be specifically excluded.

The report identifies three reasons why insurance brings a valuable perspective to the evaluation of cyber risk:

• insurance premiums are set by reference to the likelihood of the insured event occurring, and the prospect of a reduced premium will encourage businesses to take steps to reduce their risk of exposure to a security breach;
• insurers bring a valuable insight to the assessment of risk from their previous experience, albeit limited experience in what is a fledgling market; and
• insurers have knowledge of the consequences of security breaches, such as business interruption, damage to reputation and the need for rapid response.

The potential losses from a cyber-attack are grouped into 11 categories. The probability and severity of each type of loss will to a large extent depend on the nature of the business. Loss of IP will be a significant factor for a creative media business but less so for many businesses in the professional services industry. However, some categories of loss extend across all industry sectors, such as the costs of investigation and damage to reputation and customer confidence.

Most of the categories of loss are insurable, although in some cases constraints will be applied. However, IP theft and corporate espionage are generally not insurable as the consequent losses are difficult to prove and quantify.

Cyber insurance is currently expensive, typically around three times the cost of general liability cover and six times the cost of property cover. However, businesses which can demonstrate that they have resilient IT systems and robust corporate governance policies will be better placed to secure a reduced premium than those which leave their exposure to a cyber-attack to chance.

If you would like to discuss the report or you would like assistance in developing your cyber security plan please let us know. We will be happy to help.