The National Cyber Security Centre’s initiative demonstrates both opportunities and obstacles for clients, say insurance industry leaders

While UK government scheme Cyber Essentials works to protect SMEs from cyber risks, it can provide a false sense of security that firms are completely protected.

This was the subject of much debate at Insurance Times’ Cyber risk: What is it and what does it mean for the sector? roundtable, hosted in association with professional services firm RSM last week (26 January 2023).

Cyber Essentials, launched by the National Cyber Security Centre in June 2014, aims to protect organisations of all sizes against a wide range of common cyber attacks using five basic security controls – firewalls, secure configuration, user access control, malware protection and security update management.

There are two levels of certification to the scheme:

  • Cyber Essentials – this enables organisations to assess themselves against the five security controls. A qualified assessor then verifies the information provided. It includes automatic cyber liability insurance for certified organisations that have less than £20m annual turnover (terms apply).
  • Cyber Essentials Plus – a qualified assessor examines the five security controls and tests that they work through a technical audit. It also includes automatic cyber liability insurance for certified organisations that have less than £20m annual turnover (terms apply).

Matthew Clark, cyber director at insurance advisory firm Partners&, is a “big fan of Cyber Essentials” and stated that “for most SMEs” it’s a “bloody good idea”.

“It has some government flavour to it, but it seems to work quite well”, he said.

Simon Gilbert, chief executive at Elmore Insurance Brokers, echoed Clark’s sentiments and said that while the scheme helps improve cyber security awareness, embedding this and insurance together – enabling firms to get “£25,000 of cover for £50” – is a “no brainer” for an SME.

He continued: “You’re getting just a level above everyone else in terms of maturity, awareness and some risk protection – it’s only third party liability, but it’s got the event management piece as well. So, I think that’s a good step in the right direction.

“It’s a starting point for those who are not doing anything at all.”

Another attendee further noted that the scheme has “stepped up its game over the last 12 months”, which has seen “a number of public sector clients” unable to recertify because of it becoming a “more credible certification” due to an upping in standards.

Flawed safety net

Catherine Aleppo, head of UK SME cyber at broker Howden, on the other hand, said Cyber Essentials insurance is “appalling” and puts businesses under the misconception that claims related to crime and financial loss – the “most frequent claim that an SME sees in the UK” – would be covered.

As a result, SMEs “cannot possibly rely on [Cyber Essentials] as an insurance policy”, she added.

Chris Lennon, director for sales and development at broker Specialist Risk Group, agreed with Gilbert that “it is better than nothing”.

However, he added that the “main benefit” is the provision of breach response and “it’s bad”, so there’s a “danger in trying to promote one as a wedge or stepping-stone to the other”.

He explained: “I think it’s a good idea [that has been] badly executed, personally.

“I don’t think we should advocate that because what you’re saying to somebody is for £50 you get a watered-down breach response and that undermines the main thrust of what we’re trying to say, which is actually ‘here’s a gold standard, proper product over here’.”

Gilbert acknowledged that more needs to be done to support SMEs, as he feels a lot of claims have gone unreported and many companies are not investing in insurance.

Clark explained brokers can advise clients that one “quick way to save cash” is to choose an “option for a lower indemnity at renewal because [the client] is still going to get that breach response service, which is the key thing that they’re going to need”.

The chicken and the egg

Specialist insurance provider CFC Underwriting’s cyber development leader Lindsey Nelson, meanwhile, said that from an underwriting perspective, the Cyber Essentials plan “demonstrates good governance, awareness and investment into improving your security posture”.

She continued: “For [CFC], is has zero correlation with whether claims happen or not – but that’s not to put down Cyber Essentials in any way. I could say the same thing about multi-factor authentication (MFA).

“We sometimes see actual cause-effect correlations between MFA and claims, but we’ve seen an increasing amount where they bypassed MFA and the lesson we end up leaving with is there’s no silver bullet, which is exactly why you need cyber insurance.

“So, MFA today, it’s going to be something else tomorrow – it’s also end point protection, it’s a million things and the disadvantage for SMEs is that they can’t invest a lot into that infrastructure.

”That’s exactly why they want cyber insurance – it’s to give them resources or to give them the scale that they have to give discounted rates and access to that as part of their security team. So, it is a chicken and an egg argument.”