2% of UK Firms Insured Against Cyber Attacks

Cyber security
Business leaders who were aware of cyber insurance solutions “tend to overestimate” the extent to which they are covered. Kacper Pempel/Reuters

Just 2% of large UK firms have specialised insurance cover against cyber attacks, according to a report published today. This figure dropped close to zero for smaller companies and around half of the CEOs interviewed were unaware that cyber risks can be insured.

Furthermore, business leaders who were aware of cyber insurance solutions "tend to overestimate" the extent to which they are covered, with surveys showing 52% of CEOs believed that they had cover when less than 10% actually did.

The report was jointly published by the government and Marsh, a global leader in insurance broking and risk management, and is the result of the government working closely with the insurance sector following a summit regarding cyber attacks in November 2014.

New joint initiatives between the government and the insurance sector were also announced to help firms address the problem and cement London as the global centre for cyber risk management.

Mark Weil, CEO of Marsh UK & Ireland, said companies must upgrade their risk management substantially to cope with the growing threat of cyber attacks.

Last year 81% of large UK businesses and 60% of small companies suffered a cyber security breach, costing the UK economy billions of pounds, almost double what it was in 2013.

Almost 90% of FTSE 350 companies now include cyber risk within their strategic risk report, up from 58% in 2013.

The London cyber insurance market makes up around 10% of the global market, netting £160 million in premiums, yet the report revealed that policies for UK companies currently only account for an estimated £20-25 million - 1.5% of the global market.

According to the report, while larger firms have taken some action to make themselves more cyber-secure, they face an escalating threat as they become more reliant on online distribution channels and as attackers grow more sophisticated.

Weil said: "While critical infrastructure in regulated sectors, such as banks and utility firms, are used to this kind of risk, most firms are not and their risk management practices are geared around lower-level, slower moving risks."

He urges firms to create a joined-up recovery plan that brings together financial, operational and reputational responses and introduce disciplines such as stress-testing.

Francis Maude, minister for the Cabinet Office and paymaster general, said this recommendation is part of this government's long-term economic plan to make the UK one of the safest places in the world to do business online.

"The UK's insurance market is world renowned and we want it to be the same in relation to cyber risks. The market has extensive knowledge and experience of more established risks to help businesses manage and mitigate relatively new cyber risks," he said.

He added insurance is not a substitute for good cyber security but an important addition to a company's overall risk management.

"Insurers can help guide and incentivise significant improvements in cyber security practice across industry by asking the right questions of their customers on how they handle cyber threats," he said.