Insurance companies in the U.K. are beginning to use the British version of the U.S. cybersecurity framework to certify cyber risk reduction efforts throughout the small- and medium-sized business community — a significant advancement compared to the U.S. market, where cyber insurance remains largely focused on data breaches.
In the U.K., insurers will now look to include Cyber Essentials certification as part of their small- and medium-sized enterprise, or SME, cyber risk assessment, according to a report released last week by the U.K. government and London-based insurer Marsh Ltd. The Cyber Essentials scheme is the U.K. equivalent of the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology in the U.S.
The news comes as government officials in the U.K. and the U.S. have expressed concerns about the lack of cyber insurance adoption by small- and medium-sized businesses. Although the cyber insurance markets in both countries have grown significantly in the past year to more than $2 billion, that growth is primarily attributed to large enterprises. Most companies not only assume they have more cybersecurity coverage than they actually do, but many don’t even know where to start to obtain coverage.
“Many businesses are overestimating the extent to which their existing insurance provides cover for cyber risk,” Francis Maude, U.K. minister for the Cabinet Office and paymaster general, wrote in the introduction to the report.
Working with Marsh and other insurance companies, the U.K. government discovered that 52 percent of chief executive officers believed they had proper cyber insurance coverage, when less than 10 percent actually did. The report blamed the disconnect on the complexity of existing cyber insurance policies.
“Traditional insurance products have not been designed to protect clients against cyber risks. In addition, underwriters of traditional insurance business lines have, in some cases, reacted to the emergence of this new class of risk by introducing cyber exclusions,” the report states. “The result for clients is a complex picture, with a mix of implicit and explicit cover as well as a number of exclusions to contend with. It makes it an exercise in and of itself to ascertain the true level of cover for any given cyber-risk scenario.”
In addition, half of the CEOs surveyed did not realize that cyber risks could even be insured. To help increase awareness, Lloyd’s of London, the Association of British Insurers and the U.K. government have agreed to develop a guide on cyber insurance and to host it on their websites.
“At present, within the insurance sector, the cyber threat is not well defined, with confusion surrounding definitions based on different causes and consequences,” the report states. “Insurers tend to conflate cyber with data breach given the well-developed demand for that cover driven by US regulation; however, UK firms have broader concerns about possible damage from cyber risk, including business interruption, damage to property, and theft of intellectual property.”
Marsh “has arranged for a type of cyber insurance cover for SMEs that pays for the cost of Cyber Essentials certification to reflect the risk reduction that accreditation represents,” the report states. “This should help lead to large firms and banks expecting Cyber Essentials from the SMEs they deal with.”
More data needed
One of the biggest challenges identified by the U.K. government report is the lack of data to help insurance firms better understand the risks different firms face and how to price policies in a way that not only covers that risk but also keeps pressure on firms to maintain minimum security safeguards.
“A paucity of data makes attempts to model cyber exposure difficult. Not only do traditional impact tests such as ‘value at risk’ suffer through a lack of data, they also focus on solvency (size of loss) rather than liquidity, which is the more likely cause of failure from a cyber event,” the report states. “In addition to reducing pricing differentiation, the scarcity of data forces insurers to use over-conservative assumptions. Any form of data pooling among underwriters would therefore benefit their customers.”
In a blog post published March 28 on LinkedIn, Tom Finan, senior cybersecurity strategist and counsel at the Department of Homeland Security, said data pooling by insurers could have larger beneficial impacts.
“Such loss data pooling most likely would involve the sharing of claims information generated from existing cybersecurity insurance policies,” Finan wrote. But to expand those policies to include new areas where little or no coverage exists, including critical infrastructure loss and cyber-related business interruption, sharing of more “raw” loss data is necessary, he said.
“In my view, any form of data pooling about cyber incidents among private and public sector organizations, whether cybersecurity insurance is involved or not, would have a similarly beneficial effect,” Finan wrote. “Analysis of voluntarily shared raw cyber incident data — including loss data — could help inform not only the risk mitigation strategies and investments of chief information security officers but also the risk transfer calculations of insurers that are seeking more solid footing before expanding their current policy offerings beyond the well-established data breach market.”