Cyber security risk management

Cyber security protects your systems, networks and data from digital threats. It uses a range of practices to reduce risks, prevent attacks and block unauthorised access.

What is cyber risk?

Cyber risk refers to any risk of financial loss, disruption or damage to your business from:

• online activities or trading
• failures of your IT systems and networks
• personal data use and storage 

Cyber risk affects any business using digital technology - see what is IT risk.

Cyber risk assessment

A cyber risk assessment helps you identify and manage potential cyber threats arising from people, processes and technologies, and vulnerabilities within your systems. 

UK law, including UK General Data Protection Regulation (UK GDPR), requires businesses to assess cyber risks, especially if they handle personal data. It also supports schemes like Cyber Essentials. Regular assessments keep your defences up to date as threats change.

How to assess cyber risk?

A cyber risk assessment involves checking what could go wrong, how likely it is and what the impact would be, so you can take steps to reduce those risks. You can do this as a one-off, or periodically. Typically, you will want to:

1. Identify your assets: List computers, data, software and services that matter to your business.
2. Spot threats and vulnerabilities: Look for risks like phishing, weak passwords or outdated software.
3. Analyse the risks: Rate each by likelihood (low, medium, high) and impact (financial loss, downtime, reputational damage). Use standard IT risk assessment methodology to prioritise high-likelihood, high-impact risks.
4. Decide on actions: Prioritise and roll out fixes, such as staff training or software updates.
5. Document and review: Record everything and check again every six to 12 months, or after big changes.

Use the National Cyber Security Centre's (NCSC) tools for a structured approach:

• Check your cyber security service to scan for vulnerabilities
• 'Exercise in a Box' tool to test resilience

Cyber risk management

Cyber risk management is an ongoing cycle of handling cyber risks, and acting on risks long-term. It involves several key steps, including:

• risk analysis - identify threats to your business
• risk strategy - decide on processes and controls your business needs
• implementation - deploy risk solutions
• risk training - educate staff about their role in managing risks
• monitoring - review and test the effectiveness of your measures
• risk transfer - consider insuring against cyber risks and plan contingencies

Following proven IT risk management processes to build resilience. This helps you prevent, detect and respond to cyber threats in a way that minimises business disruption and financial loss.

What is cyber risk insurance?

Cyber risk insurance (also called cyber insurance) covers your business's direct financial losses from cyber attacks, such as data breaches and ransomware. It is considered first-party insurance. It helps pay for recovery costs like:

• breach investigations
• data and system restoration
• incident response
• professional fees
• business interruptions (for example, downtime)

Cyber liability insurance covers your legal responsibilities to others from cyber incidents (third-party insurance). It pays for claims made by regulators or customers if their data is compromised, and typically includes:

• customer notifications and credit monitoring
• legal defence costs - including fees and settlements from privacy lawsuits
• fines under UK GDPR or other regulatory penalties

Most cyber insurance policies bundle both types for full protection. Some offer them separately, so check terms for overlap or gaps. Some policies may also cover you against things like extortion, electronic theft or intellectual property infringement.

Always check exclusions and requirements, such as holding Cyber Essentials certification. Premiums may depend on your business size, sector and security measures you have in place so review policy details carefully before buying. See more on cyber insurance.