Baroness Paul of Shepherd's Bush (Lab)

- View Speech - Hansard -

Copy Link

-

My Lords, I have very much enjoyed the range and quality of the speeches that have been made this afternoon and into this evening. In particular, I congratulate those members of the class of 2026 who made their maiden speeches today. I am biased, but I think this is going to go down as a vintage intake and a very special one for the future—I would say that, would I not?

Before I make my comments, I declare my interest as a director of the Government-backed terrorism reinsurer.

I welcome the Government’s continued focus, set out in the gracious Speech, on strengthening the resilience of the United Kingdom in an increasingly uncertain and volatile world. In that context, the cyber security and resilience Bill represents an important and timely step in modernising the framework that protects our digital economy. However, if we are to build a true national resilience to cyber threats, we need to think not only about how we prevent incidents but about how we respond to them and recover quickly when they occur. In that spirit, I will briefly highlight the importance of the cyber insurance market in keeping us safe.

Insurance is a vital but often underrecognised component of our economic resilience. It helps businesses absorb shocks, supports recovery, and enables those who have been impacted to get back on their feet fast. In every survey of leading businesspeople, cyber risk tops the poll of what they are concerned about, with a recognition that the capabilities of those who wish to harm us are evolving at pace and that we just cannot keep up. In this context, specialist insurers are well placed to help businesses, especially small businesses, understand the risks that they face and the mitigation activities they can take to protect themselves.

Underinsurance, however, is a real problem. There remain significant protection gaps across the full gamut of the risk spectrum. At one end, among small businesses, the take-up is worryingly low. A recent report by the Association of British Insurers, Small Business, Big Risk, shows that fewer than 20% of SMEs have any cyber insurance at all, and that percentage goes down as the business gets smaller. Many SMEs either underestimate the risks they face, particularly supply chain risks, or they find the market far too complex or, frankly, too expensive to engage with it. Statistics show that 20% of SMEs that experience a cyber attack will be out of business six months later. So it is an important element of keeping them safe.

At the other end of the spectrum, we have the spectre of systemic cyber attack, which, while reassuringly remote, is still imaginable. A single event, or co-ordinated attacks, could generate widespread outages and result in correlated losses across the economy. This could be a direct action by a state or non-state actor, or even as the consequence of yet unknown vulnerabilities in our complex supply chains and systems.

The incident at Jaguar Land Rover last year only too graphically demonstrated the impact that these events could have on our economy. It is worth noting that Jaguar Land Rover was in the throes of getting its insurance in place and did not have any, whereas Marks & Spencer had insurance in place and made a claim in excess of £100 million. In one incident, the Government had to step in and make financial support and help available to Jaguar Land Rover, but they did not have to do that for Marks & Spencer.

We have to do this in a better way. Pooling arrangements have long been an important and established way for businesses and Governments to risk-share. In other areas of systemic risk, notably terrorism, which I have some experience of, we have recognised the benefits of public and private partnerships, so that the taxpayer does not always have to step in when a significant event happens. The creation of Pool Re back in 1993 as a response to a sustained campaign of terrorist attacks has proved to be an effective partnership for government and industry, enabling, over the 30 years that it has been operating, a fund of £13 billion to be built to pay claims in the event of a catastrophic terrorism event. This is money collected as insurance premiums that is then invested and will be spent before any Government have to step in—before we as taxpayers are called on to support organisations. There is now a growing discussion in the insurance industry, here and across the Five Eyes community, about whether, in time, a similar approach might be required for systemic cyber. I hope that this is a discussion that our Government will consider being part of.

As this important legislation makes its way through this House, I hope we will consider how the insurance sector could be better utilised and its expertise leveraged in helping to meet the ambitions of the cyber security and resilience Bill.