As well as bolstering international confidence in the UK’s internet sector, which currently contributes 6% of the UK’s GDP, the government’s strategy could help the insurance industry to address one of its greatest deficiencies in terms of cyber risk.

According to Mark Fishleigh, Head of Insurance at BAE Systems Detica, a UK-based intelligence security firm, insurers need to amass far greater evidence about the level and scope of cyber incidents currently affecting UK businesses in order to effectively price their cyber insurance policies and to avail of the significant commercial opportunities.

"We know that companies are struggling to quantify the cyber risks that they face and the insurance industry can play a key role in helping to price this risk accurately. Better risk quantification will lead to more appropriate levels of cyber defences and could drive the growth of a substantial new line of business for forward-thinking insurers,” he said.

There is clearly an increasing interest in cyber insurance, however this is not currently matched by the scale of coverage on offer. Last year’s premium income from cyber insurance policies in the US is estimated at $800m according to the Betterley Cyber Risk Insurance survey. There is also a feeling that cyber insurance is too expensive. Typically premiums are 5% of the sum insured. But, Fishleigh said, the evidence base is not yet there to say whether that figure is too high or too low.

“Shared experience is key to this but a lot of cases go unreported. Until this changes, insurers won’t be able to price their policies effectively and cyber insurance will remain headline-based rather than fact-based.”

Mr Fishleigh welcomes the UK government’s cyber security strategy announcement but warns that such initiatives take time (it is not until 2015 that many of the announced ambitions are expected to be in place). And while the information-sharing initiatives could help significantly, ‘questions still remain as to the value to both sides and the incentives that exist’ for companies to disclose any cyber-security information.

The data that exists today is from companies’ own research, from industry specialists that provide data to underwriters and data that is in the public domain. “It is all useful but it is limited,” said Mr Fishleigh. “Companies need help to apply various tools to identify common themes and support expert judgment. The limitations of the data mean it is not sufficiently robust to rely on the statistics alone.”

The one area of cyber insurance where adoption is high and coverage broad is data protection policies in the US, where it is mandatory for companies to inform their customers in the case of a security breach. The EU and UK have spoken about introducing similar initiatives.

And although Mr Fishleigh agrees that legislation can often be a spur for insurance markets, he believes it is only one aspect in terms of managing cyber risk. “What will drive this the most is a better understanding of cyber risk across the company. It is the business that understands the assets that it holds and it is the IT department that can tell you where the company is vulnerable but you need to join up these two areas to make a meaningful quantification of the exposure that companies face from cyber risk,” he said.

Please sign up here to our full-time mailing list to ensure that you receive our weekly newsletter.

• More Risk Management News