Implications of the expanding cyber insurance market

The government’s interest in improving the country’s cyber security continues: following the publication of the National Cyber Security Strategy (NCSS) in November 2011 and the launch of the Cyber Essentials scheme in June 2014, the government is now collaborating with the insurance industry to promote the growth of ‘cyber insurance’ as a means of improving cyber security risk management in the UK.

On 5 November, Cabinet Office minister Francis Maude and insurance broker and risk adviser Marsh co-hosted a summit of 12 CEOs from the UK’s insurance sector to discuss how, by creating a comprehensive cyber security insurance model, they would help ensure that the UK was one of the safest places to do business in cyberspace.

Mr Maude said that the benefits would be twofold: first, it would mitigate the damage caused by cyber attacks on British organisations by protecting them against the economic impact of a data breach; second, it would encourage businesses in the UK to adopt better cyber security as a means of driving down their insurance premiums.

“We’ve always been clear that cyber security is not an issue for government alone; it is also an issue for business,” Mr Maude said. “Around 80 percent of attacks could be mitigated with basic hygiene, patching etc. We need to be constantly pushing this and we think insurance is a way to do it.”

Government support

In a joint statement, the government and the insurance industry said:

“The Government supports the growth of the cyber insurance market to improve how UK businesses manage cyber security risk. The Government believes cyber insurance has a strong role to play in helping firms outside of the critical national infrastructure to manage their cyber risks efficiently…

“Insurers providing cyber breach and wider operational risk cover can play an integral role in driving improvements in cyber security risk management. By asking the right questions and helping customers, insurers and insurance brokers can help promote the adoption of good practice, including Cyber Essentials, that reduce the frequency and cost of breaches. Not only can cyber insurance help businesses to meet the costs of a security breach event, but it can also provide front end risk analysis to gauge the organisation’s exposure to cyber risk, and deliver rapid incident response services that are critical to minimising the impact of a breach.”

A working group focusing on issues relating to cyber insurance is due to report its conclusions to the Cabinet Office in April 2015. Cyber insurance is already available from a minority of insurers, but if the cyber security insurance model gets government approval, the number of major insurers offering similar policies is likely to increase dramatically.

Increased data security in 2015?

In turn, this could mean that 2015 will see an explosion in the number of certifications to Cyber Essentials or ISO 27001. “The risk to business in the UK and globally is growing,” said the joint statement. “81% of large businesses and 60% of small business suffered a cyber security breach in the last year and the average cost of breaches to business has nearly doubled since 2013.”

Companies operating in the UK that want to protect themselves against that increased risk – and cost – would do well to adopt recognised cyber security measures as a means of proving their compliance with industry best practices, and so decrease their insurance premiums.

The Cyber Essentials scheme is a government-approved set of five essential cyber security controls based on the international standard for information security management, ISO 27001.

IT Governance’s CyberComply is a unique online service that enables companies to apply for CREST-accredited certification to Cyber Essentials for only £300, following a convenient ‘do-it-yourself’ approach.

Visit our website for more information and to book your CREST-accredited Cyber Essentials certification.



  1. Frank Martin 10th December 2014
  2. Steve Watkins 11th December 2014