The BCI

The role of insurance in managing and mitigating the risk

News   •   Mar 25, 2015 15:23 GMT

With 81% of large UK businesses and 60% of small companies suffering a cyber security breach in the last year, a new report published by the UK Government and Marsh entitled UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk has highlighted the exposure of firms to cyber attacks among their suppliers.

Cyber threats are estimated to cost the UK economy billions of pounds each year with the cost of cyber attacks nearly doubling between 2013 and 2014. The report found that, while larger firms have taken some action to make themselves more cyber-secure, they face an escalating threat as they become more reliant on online distribution channels and as attackers grow more sophisticated. The report issues a call to arms for insurers and insurance brokers to simplify and raise awareness of their cyber insurance offering and ensure that firms understand the extent of their coverage against cyber attack.

The cyber threat is also a very real for business continuity professionals with the Business Continuity Institute’s latest Horizon Scan report highlighting that cyber attacks are now perceived to be the number one threat to organizations. 82% of respondents to a survey expressed either concern or extreme concern at the prospect of this threat materialising.

The report recommends that organizations stop viewing cyber largely as an IT issue and focus on it as a key commercial risk affecting all parts of their operations, and that they examine the different forms of cyber attacks they face, to stress-test themselves against them and to put in place business-wide recovery plans.

The report also notes a significant gap in awareness around the use of insurance with around half of firms interviewed being unaware that insurance was available for cyber risk. Other surveys suggest that despite the growing concern among UK companies about the threat of cyber attacks, less than 10% of UK companies have cyber insurance protection even though 52% of CEOs believe that their companies have some form of coverage in place.

Francis Maude, Minister for the Cabinet Office and Paymaster General, said: “Insurance is not a substitute for good cyber security but is an important addition to a company’s overall risk management. Insurers can help guide and incentivise significant improvements in cyber security practice across industry by asking the right questions of their customers on how they handle cyber threats”.

Mark Weil, CEO of Marsh UK and Ireland, added: “While critical infrastructure in regulated sectors, such as banks and utility firms, are used to this kind of risk, most firms are not and their risk management practices are geared around lower-level, slower moving risks. Companies will need to upgrade their risk management substantially to cope with the growing threat of cyber attack, including introducing disciplines such as stress-testing, and creating a joined-up recovery plan that brings together financial, operational, and reputational responses.”