In March 2013, the UK Department for Business, Innovation and Skills issued a “Call for Views and Evidence”  that built on the commitments made in the 2011 Cyber Security Strategy published by government.

The Call for Evidence focused on the intention of government to encourage the adoption of industry led standards that can be used by organisations to  improve the management of cyber risk.

The particular focus of this work stream, that is part of a series of connected developments across business and government, was centred on the needs of SME companies.Over the past six months there have been numerous BIS workshops to gather opinions and support the discussions across industry and professional groups.

The Cyber Risk and Insurance Forum has been part of this process of engagement through three separate channels aimed at security professionals, the insurance sector and a cross industry group that was formed to develop stronger engagement and consolidate thinking to support the BIS  process.

CRIF  was represented at these meetings by Daljitt Barn, Matthew Hogg and Russell Price.

The key outcome for BIS  was the formal submission of recommendations on what “standard” for cyber risk would best fit the needs of SME companies.

From an early stage in the industry discussions became clear that while highly desirable the selection of a single standard was problematic. Many of those involved in extensive debates and discussions were strongly of the opinion that when it comes to cyber risk “one size won’t fit all”. Of particular importance to the SME community was the need to identify something that connected back to core business values and that had the capability to meet the needs of a very wide and diverse range of stakeholders.

Obviously there are currently existing standards that can provide an awful lot of the capabilities that are needed, these tend to be  focused on the needs of larger more complexity the resources and skill sets to implement, manage and maintain formal management systems. Certainly standards such as ISO 27000  can meet the requirements if properly applied, but it is difficult to see how over 4 million small businesses can realistically adopt this type of management system.

In addition to the focus on the ICT needs, the broader dimensions associated with risk management also need to be reflected and arguably the essential component for all businesses, not just SMEs, they are to gain the best value and effectiveness. Cyber security is now at the heart of our economy with organisations large and small grinding to a halt when systems fail or processes are disrupted. Understanding how these risks affect organisations in the right context is an essential element in setting out Cyber Risk policies and programmes.

CRIF contributed significantly to the discussions on how cyber risk management has to be structured to fit both the specific needs to achieve information assurance and be able to be effectively addressed in a typical SME. The Cyber Risk and Privacy framework,  developed by the CRIF founding members  provided an invaluable model to illustrate how the management of cyber risk should be structured to meet these goals delivering operational capability and business security.

The Cyber Risk and Insurance Forum framework was used to help develop and change the wider thinking of industry and gained considerable support. It provided not only a focus on the ICT dimensions, but also added elements that focused on the correct identification of risks, building a framework to deliver information assurance, developing the capability to recover and, critically, a positive approach to the management of any residual risks through insurance.

This last point is essential when engaging with business of all types, but especially SMEs. While standards certainly can provide a lot of value,  real performance can depend on softer measures, these can be cultural or process led, but they get beyond what can be a simple tick box exercise and point to the real capabilities and issues within the business. Few ICT standards deliver this insight.

Consequently, the Cyber Risk and Insurance Forum was unable to recommend a single standard to BIS.  However we were able to highlight the importance of establishing a proper consistent framework that put the business and its interests at the heart of the cyber risk assessment process. This approach led to many other organisations  adapting or altering their submissions to BIS  with a much stronger emphasis on a more flexible and adaptive framework approach being needed, and not a single standard, if SMEs are to gain a real cyber risk capability.

The CRIF submission to the Department for Business, Innovation and Skills is attached below for your information and if you have any questions or queries please do get in touch.

BIS will be issuing  more information on the next stages of their industry consultation later in the year and will keep you informed on developments.

---