- Security TWENTY
- Women in Security
A Government minister has co-hosted CEOs from the UK insurance sector with Marsh, the insurance broker and risk adviser. The November 5 meeting was to discuss how the sector can help ensure that the UK is one of the safest places to do business in cyberspace, a Coalition Government aim.
Read the joint statement from government and the insurance industry.
Francis Maude, Minister for the Cabinet Office with responsibility for the UK Cyber Security Strategy, was host. Afterwards he said: “Protecting the cyber security of UK businesses is an important part of this government’s long-term economic plan – we want the UK to be one of the most secure places in the world to do business. We want to support the growth of a cyber insurance market in the UK so we are very pleased to come together with the UK’s world-renowned insurance sector. Cyber insurance does not replace the need for good cyber security practice but is an added protection for businesses in the event of breaches.
And Mark Weil, CEO of Marsh UK & Ireland, said: “As recent network attacks and data breaches have demonstrated, cyber security events can quickly accumulate significant costs, inflict reputational damage, and undermine investor confidence. A massive data breach will invite litigation, generate regulatory fines, and instigate law enforcement investigations. Cyber attacks can even cause physical damage by manipulating control processes. Companies should be assessing their vulnerability to cyber attack and taking advantage of risk management and insurance solutions to mitigate the potential for these events to harm their business.
John Hurrell, CEO of Airmic, the UK association for risk managers and insurance buyers, said: “Cyber risk is an enormous challenge which cuts across a wide range of stakeholders and this initiative correctly recognises the need for a coordinated effort to improve the management of cyber risk in business. Airmic very much welcomes closer engagement between the government and the insurance industry, and believes the insurance industry has a critical role to play in improving awareness and informing the debate. We hope that this will in turn foster closer working relationships between other key players, including between IT and risk functions within organisations.
A dozen insurers met with Maude and UK Trade & Investment, Department for Business, Innovation & Skills and GCHQ officials to discuss the issue and agreed a joint statement.
Cyber threats pose a considerable risk to UK companies and industry is by far the biggest victim of cyber crime, as the joint statement from Government and the insurance industry admitted. Some 81pc of large businesses and 60pc of small businesses suffered a breach in the last year with the average cost of breaches to business nearly doubling since last year, according to the 2014 annual Information Security Breaches Survey.
The statement admitted that cyber insurance does not remove the need for businesses to manage their risk from cyber attack; it also takes security spend, education and risk management controls. As for the actual upshot of the meeting, industry-chaired working groups will be established, to report to the Cabinet Office by April.
Afterwards, Ross Brewer, vice president and managing director for international markets, LogRhythm said: “We’ve seen a slew of very high-profile security breaches take place this year, with organisations from eBay to OFFICE finding themselves in the firing line. What’s slightly concerning is the fact that cyber crime is now so commonplace that these incidents go by with barely an eyebrow raised when they are reported. While businesses themselves clearly have to deal with the consequences of these attacks, they also cost the UK as a whole a vast sum of money. Joining forces with insurers makes sense for the government as it will enable it not only to raise awareness of the issue, but also ensure damage is limited.
“While cyber insurance has been around for a while, the market has been relatively slow to take off. However, as cyber criminals become more sophisticated and we realise the inevitability of attack, it makes sense that businesses would want to have the greatest level of protection as the aftermath of a serious breach could be akin to a large-scale burglary. For insurers it’s not surprising they would want to capitalise on this modern risk facing UK businesses, and working with the government only provides a greater opportunity to get the word out there. However, Francis Maude is right and businesses must see insurance as a safety net, and not as a security tool. Just as you wouldn’t forgo your fire alarm when you purchase contents insurance for your house, organisations must not do the same with their defensive security measures.
“It is imperative that the right checks and balances are maintained to keep corporate networks watertight, as the protection of private information should be paramount – rather than simply covering the costs of a breach. Protective monitoring and security intelligence should be the go-to strategy throughout organisations, as it provides the most granular view into all network activity. This ensures that anything untoward can be immediately identified and stopped in its tracks before any lasting damage is done – or big insurance payouts are required. So, while there is no harm in having insurance, and it will likely prove advantageous to both businesses and the UK economy, it must not be seen as the be all and end all, otherwise we’re going to be seeing a lot more breaches, a lot sooner.”
And Darren Anstee, Director of Solutions Architects at Arbor Networks said: “With cyber-attacks becoming ever more frequent and sophisticated, enhancing businesses’ ability to prevent and insure against losses due to cyber-crime is obviously a good thing. Recent research from the Economist Intelligence Unit, sponsored by Arbor Networks, revealed that the demand for insurance against potential losses is growing strongly, and is no longer purely something for very large organisations. Regulatory changes, media coverage, contractual requirements for cover and actual experience of breaches are all playing their part in the growing demand for insurance. However, businesses should not rely on insurance as a way mitigating their risk of attack. Organisations can no longer afford to make mistakes when it comes to security, and need to implement multi-layered defences and the appropriate operational processes to protect the business from the attacks that are out there today.”