Legal Update: Cyber Essentials - a major step forward for insurers by Nick Gibbons
Nick Gibbons explains why the government’s recently launched Cyber Essentials Scheme – aimed at improving protection against cyber attacks – is so significant for the insurance industry.
The Cyber Essentials Scheme was launched on 5 June 2014. It represents a major step forward for insurers in terms of raising awareness among clients about the need for effective cyber risk management measures, which suggests the scheme must inevitably result in more cyber insurance sales.
Cyber Essentials was developed by the UK government in conjunction with a number of the UK security industry bodies. It lists requirements for basic technical protection from cyber attacks. These include: boundary firewalls and internet gateways; secure hardware configurations; access control; anti-malware protection; and patch management.
Two levels of Cyber Essentials certification are available to businesses of all sizes and in all sectors, as well as non-profit and government organisations. Cyber Essentials certification is obtained after completing a self‑assessment questionnaire that is independently reviewed and verified by a third party, while Cyber Essentials Plus certification is obtained following independent testing for compliance by an external certifying body.
Cyber Essentials is one of a number of initiatives launched by the UK government as a result of growing concern about cybercrime in the UK. Recent figures show the cost of cybercrime has been rising every year for the past five years, at a cost to the UK economy of £27bn per year. To put these figures into context, the total value of UK exports in 2013 was £304bn.
The government’s concerns about cyber risk are not confined to the theft of personal data. Other major concerns include the theft of research and other types of confidential information, which causes losses 23 times greater than those resulting from the loss or theft of personal data.
In response to this, the UK Cabinet Office has articulated four strategy objectives to combat cybercrime, to: make the UK one of the most secure places in the world to do business in cyberspace; make the UK more resilient to a cyber attack and better able to protect our interests in cyberspace; help to shape an open, vibrant and stable cyberspace that supports open societies; and build the UK’s cyber security knowledge, skills and capability.
Although meeting the technical standards within Cyber Essentials is not a legal requirement per se, a combination of Cyber Essentials and the 10 Steps to Cyber Security will help organisations of all sizes to implement appropriate information security measures so they can comply with law and regulation.
Data Protection Act
On a related note, the Data Protection Act requires all those processing personal data to implement effective technical, organisational and physical information security measures. Similar requirements are found in other rules and regulations such as the Financial Conduct Authority regulations and Solicitors Regulation Authority rules.
Many cyber insurers have been eagerly awaiting the new European Union Data Protection Regulations because they believe mandatory data breach notification will, by itself, result in a much greater consciousness of cyber risk and, therefore, drive much greater cyber insurance sales.
However, existing mandatory reporting requirements in countries such as Germany have not of themselves resulted either in a flood of notifications or an increase in cyber insurance sales.
From an insurer’s perspective, therefore, perhaps the most significant aspect of Cyber Essentials and other government initiatives are that they will, over time, in tandem with the new Data Protection Regulations, raise consciousness not only in respect of personal data theft but also in respect of the other key cyber risks described above.
Nick Gibbons, partner, BLM