Just 2% of large UK companies have a separate cyber insurance policy, according to a government report from a working group set up last November. issued jointly with broker Marsh.
The report observed that "at present within the insurance sector the cyber threat is not well-defined".
The report recommends that that data and information be pooled by the UK government, the London market and the Association of British Insurers, to encourage the take-up of cyber insurance.
"A paucity of data makes attempts to model cyber exposure difficult" says the report, while also observing that traditional impact tests tended to focus on solvency and the size of absolute loss, rather than liquidity problems – "which is the more likely cause of failure from a cyber event".
The report noted that, although the majority (60%) of cyber incidents reported to insurers were the result of accident, the majority of high-severity losses stemmed from deliberate attacks.
There was some difference between the response of large firms and small the medium-sized enterprises (SMEs), with the former trying to make themselves cyber-secure, yet remaining at risk from third-party exposure, while the latter often "did not know where to start". Marsh noted that it had arranged a type of insurance cover for SMEs.
The report claimed that London was already a major centre for cyber insurance, with £160m of cyber-specific premiums coming to London each year, mainly in the form of US data protection coverage. It felt that, although to date there had not been a great demand for cyber-cover from outside of the US, "data protection regulation in Europe and elsewhere is likely to change this".
However, the report also said that it did not think that government financial support was necessary in the sector, noting that "while some market participants have suggested that a possible government backstop may be necessary, there is no conclusive evidence of the need for such a solution at present".