Draft UK cyber governance code – a boon to cyber insurers?

Matt Waller, head of underwriting, UK at Corvus Insurance, argues that the UK government’s draft addresses a fundamental component of good cybersecurity – buy-in from the very top.

Getting the C-suite’s ear on the issue of cyber governance hasn’t always been easy. In the early years of cyber risk, cybersecurity was often seen as a cost centre, particularly where digital assets weren’t fundamental to the business proposition.

Data protection regulation, including the General Data Protection Regulation in the EU and the UK’s Data Protection Act, served as a wake-up call for larger companies. However, those not caught by the rules didn’t share the same urgency.

The rise of ransomware has increased awareness of the business interruption impact and the risks of cyber attacks. While many more companies now have digital assets and data at their core and the sharp increase, and rapid evolution, of cyberattacks have laid bare the consequences of having these stolen or compromised.

However, in last year’s cybersecurity breaches survey, the government found that overall board engagement was getting worse. In this context, there is clearly still work to be done.

As the code recognises by emphasising regular risk assessment and appropriate monitoring, a once-and-done approach to cybersecurity doesn’t cut it. With its focus on training and education, the code also underscores the need for every individual to join the fight against cybercrime. All this is only possible if driven by company leaders.

The code is part of the government’s £2.6bn ($3.3bn) National Cyber Strategy and puts cyber risk on a par with directors’ other risk-management duties.

As a voluntary code – though one designed to dovetail with existing regulatory obligations – it strikes a good balance between avoiding a one-size-fits-all approach, while setting concrete requirements. These include quarterly cyber risk reporting, agreed cyber resilience target ranges, and the testing of incident response planning at least annually.

Helpfully for the insurance sector, the code aligns closely with underwriters’ approach to onboarding and to the continuous engagement over cyber risk that lies at the heart of any good cyber insurance policy.

Indeed, the code’s five components – risk management; cyber strategy; people; incident planning and response; assurance and oversight – are all fundamental to Corvus’ underwriting appetite and the ethos we look for from our insureds.

The code also proposes a kitemark for compliant companies for use by insurers and other business partners, further supporting the risk transfer process.

All in all, the guidelines look set to be a key education tool for insureds that is highly symbiotic with the insurance offer, including the ongoing relationship all companies should have with their cyber insurers.

It is early days – the government is still taking views on the draft – but companies wondering where to start should begin by establishing a cross-functional working group to understand their tech stack, their cybersecurity framework, and any changes in the pipeline, including investment plans.

The draft code will put cybersecurity on the agenda of more organisations by formalising expectations of directors and providing a structure to help them meet these. With a framework that is deeply compatible with high-quality cyber cover, it could also go a significant way towards helping to close the cyber insurance protection gap.