The UK officially opened its National Cyber Security Centre (NCSC) in February, a welcome public private partnership aimed at strengthening cyber security.
A key part of the UK’s Cyber Security Strategy, the NCSC was established as a bridge between industry and government, providing a source of advice, guidance and support on cyber security and incident response.
The creation of the NCSC is a positive step and shows that the UK government is stepping up its investment in the UK’s cyber security capabilities.
We see more successful cyber attacks and poor cyber hygiene in the UK compared with the US, and this is partly down to the skills gap. Public private partnership investments like the NCSC should see skills and knowledge transfer to the private sector, and that can only be a positive.
Role of insurance
But what should be the role of government in encouraging cyber security and cyber insurance?
In a recent paper, Anne Hobson, a technology policy fellow at the R Street Institute, suggested that the US Federal government could promote cyber security among Internet of Things (IoT) providers, which is generally perceived as being weak. She proposed that the US federal government require IoT contractors to use insurance or other risk-transfer mechanisms to take financial responsibility for cyber liabilities.
According to Hobson, through the processes of cyber-insurance underwriting and ratemaking, IoT manufacturers are incentivised to identify and remove vulnerabilities. This, she argues, is preferable to the government generating prescriptive security standards for IoT devices.
There are arguments in favour of mandatory third party liability insurance for cyber risks, especially for high risk organisations and critical infrastructure. Cyber liability insurance encourages organisations to focus on improving their security while investments in cyber security could be rewarded by lower insurance premiums.
Such compulsory insurance requirements are, however, often controversial. But there is already a trend toward contractual requirements for cyber insurance in certain sectors.
Cyber insurance is often seen by organisations as a way of pushing cyber security and risk management through the supply chain. In order to purchase insurance, suppliers will have had their cyber security measures audited by speciality underwriters.
It is common practice for companies to require their suppliers to hold cyber insurance in the US where there is personally identifiable information. And we increasingly see this in other countries.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on email@example.com