Welcome to CRIF.

The insurance industry has responded to the growing nature of data and network integrity risk so far back as to pre-date the “millennium bug” scares. However it is in recent years that the prevalence of “cyber” insurance has arisen, primarily due to the increasing exposures in the US with regards to individual state notification laws and an aggressive plaintiff bar. 

In some ways this has further muddied the waters with regards to what “cyber” insurance actually covers.

A myriad of policies have been developed by tens of insurance markets; many with only very specific coverage provided and limited to exposures such as privacy or covering disruption only arising from malicious attacks.

The word “cyber” may have impact to a board member or the media, but it is insufficient to provide detail to the complex risk environment surrounding information and privacy risks or critical network dependency.

The last two years has seen some high profile cyber-attacks and a growing move by UK business to better understand the threat whilst reaching out to UK Government for more action.  Even without the purchase or risk transfer to insurance, US business listed on the SEC can be requested to report quarterly on whether intruders had breached their computer systems.   We therefore need to do more in the UK to promote the awareness of cyber insurance and effective risk management.  CRIF is looking for organisations to join the forum and discuss their cyber issues and how they’ve assessed their cyber posture in an ever increasing threat in the digital age.

Demonstrating a responsible attitude to Cyber Risk and demonstrating that you have undertaken a proper Risk Assessment is increasingly important for commercial success. Global Standards from ISO as well as various national standards make it a requirement that a structured, comprehensive business approach is applied to the management of ICT and Cyber Risk. 

Being able to demonstrate your Cyber Risk Management capabilities is now a commercial enabler and essential to maintain not only organizations accreditations across ISO 27000, ISO 22301 but in the near future all other ISO standards as they are revised. Managing Cyber Risk is much more than a technical I.T. function, it interconnects with all of your processes, customers and stakeholders and how you meet the challenge will be a key factor in your future success.

CRIF’s view is that any awareness or guidance provided by UK Government is pivotal to the success of reducing cyber-attack and combating cyber-crime, but the reality is that most of UK businesses are not aware of the extent of the cyber problem in their industry sector or their supply chain.  However, businesses don’t simply trade in the UK and the effect of any EU cyber initiatives as well as the proposed changes in the EU Data Protection Directive need to be carefully reviewed to ensure that risks are being managed.

As an adolescent class of business, cyber insurance is underwritten from a number of different perspectives, with no uniformity of information requirements, best practices or risk management advice. CRIF will work towards the development of greater synergy between effective risk management and appropriately tailored, cost-efficient insurance cover.

It is our goal that through our activities you will benefit from the potential of the technology at the heart of modern business, but also improve the management of the risks associated with it. We look forward to hearing you views.

Matthew Hogg

Chairman