UK NCSC chief calls for a more sophisticated, better priced cyber insurance market

The CEO of the UK National Cyber Security Centre (NCSC) has called for a “more sophisticated, better priced” cyber insurance market to help manage the risk of cyberattacks and their impact on UK businesses. Lindy Cameron spoke to insurance professionals at the British Insurance Brokers’ Association (BIBA) 2023 Conference in Manchester, highlighting that cyber insurance is currently one of the few market-based levers for incentivising organisation to implement security controls and cyber resilience measures.

Cameron acknowledged that insurance companies often operate in a market where the default position is to compete rather than collaborate. However, collaboration within the insurance sector and with government is important to make the cyber insurance market as mature and effective as possible, focusing on the risks that UK organisations face.

The cyber insurance landscape that has seen significant change recently. As the frequency and severity of ransomware, phishing, and denial-of-service attacks have increased, demand for and conditions relating to coverage have evolved. Policies are becoming more diverse, complex, expensive, and harder to qualify for, presenting CISOs and their organisations with new challenges and considerations for optimal cyber insurance investment.

Cyber insurance market needs better data sharing, transparency

“We operate in an uncertain world where our adversaries range from the unsophisticated but effective cybercriminals operating in their bedrooms, to the full-throated might of sophisticated hostile states. Whatever the scenario, each of us has a responsibility address the gaps in our defences,” Cameron said.

For the cyber insurance industry, this includes raising the minimum standards you expect of your customers, being realistic about the risks that your customers face, better data sharing, and better transparency during incidents, she added.

There is an added incentive in the cyber insurance field to ensure that customers make better, more informed decisions about their overall cybersecurity requirements and their resilience, Camron said. “This will deepen their understanding of the coverage and value of insurance on the market and help them choose the cyber insurance policy that is right for their business. It might also mean that you’re not paying out for avoidable claims.”

If the UK is to respond to the threats it faces, there is a need to continue to evolve understanding of the scale and impact of incidents, Cameron argued. “Data is key to this, and insurers are in a unique position to help build this understanding.”

Insurers hold a wealth of data and information that could be used to better understand the threat landscape, which could be used to build risk-based pricing models that incentivise the market. “However, the lack of aggregated data sharing across the industry on the scale and impact of incidents is hampering the maturity of the market and the models on which cyber insurance is priced.” The NCSC wants to incentivise anonymised data sharing to improve collective understanding without skewing the insurance market, Cameron said.

Cyber insurance sector a force for good in securing UK business

On a macro level, the cyber insurance industry can be a force for good in making the UK the safest country in the world to do business, Cameron argued. “Prosperity and economic security go hand in hand.” This should not be done through regulation, but the market has a key role to play, she added.

“Getting fundamental cybersecurity controls right can make a measurable difference to resilience, and the pay-outs that insurers must make, but this message is not getting through.” It has been said that only 200,000 of the 2.7 million businesses in the UK with a website, buy standalone cyber insurance policies. “I’d love to believe that this was because it was covered as part of their wider business insurance, but I don’t believe this is the case.”

Time for insurance industry to agree on appropriate cyber certification requirements

This is partly due to a basic lack of understanding about cybersecurity, but the insurance industry has a key role to play here, as a disjointed approach to adopting minimum cyber standards is compounding the problem, Cameron said.

“We all know that to get car insurance, you need (amongst other things) a driving license, tax, MOT, and a commitment that you have not modified your vehicle in some dodgy way that will make it more unsafe.” There is no equivalent benchmark for cyber insurance, with no minimum protections that organisations must have before they are issued a cyber insurance policy.”

The time has come for the insurance industry to agree appropriate cyber certification requirements as prerequisite for taking out a policy, Cameron stated. Embedding cyber certification into the underwriting processes would provide organisations, regardless of size and revenue, with greater confidence that they have done everything that can to meet the insurance policy threshold, she added. “Such certification will raise the bar across the economy and reduce the markets exposure to avoidable, but costly claims.”