Businesses that take steps to protect their IT systems from cyberattack could in the future be rewarded with discounted insurance premiums.
Lloyd's of London and two major insurers are in talks with the UK government's Office of Cyber Security and Information Assurance (OCSIA) about lowering premiums for firms that take adequate measures to secure their networks.
"Eighty percent of the attacks we see could be defeated by basic cyber-hygiene, techniques and software that are already readily available." - James Quinault
The plan was revealed by James Quinault, director of the OCSIA, at the National Security Summit in London on Monday. The OCSIA is part of the Cabinet Office and is responsible for setting and coordinating national cybersecurity strategy.
"If firms can demonstrate the risk of expensive disruption to their IT has been reduced because they have better cybersecurity hygiene, they might be able to trade that for a lower premium," he said.
Quinault did not detail precisely what preventative measures might earn firms a reduction in premiums but indicated the discount could be applied to general policies rather than just those against losses from cybercrime.
Incentives to invest in security
Financial rewards and risk of monetary loss provide effective incentives for businesses to invest in cybersecurity, according to Quinault.
"The key is to get insurers asking questions about this because firms pay attention to questions from insurers in a way they do not to a man from government," he said.
"Until cybercrime is widely recognised as not just a reputational issue, but also a material risk for companies, we do not think they will invest [in protection against cybercrime]."
Investment in training employees how to protect themselves and corporate information online could prevent the majority of losses to cybercriminals, Quinault said.
"Defence would be a lot easier if people just did simple things, like choosing unique passwords, patching regularly and being careful about what information they share online.
"Eighty percent of the attacks we see could be defeated by basic cyber-hygiene, techniques and software that are already readily available."
Other preventative measures being worked on by the OCSIA include widening to other industries arrangements that currently allow key sectors like telecoms, financial and defence to share information on cybersecurity best practice and threats. There is a need for a kitemark scheme to distinguish the most effective cybersecurity products, Quinault said.