NCSC’s Oswald: Severity of cyber threat “widely underestimated” by UK firms

By Ryan Hewlett

Jan 29 - (The Insurer) - The threat to UK businesses and critical infrastructure from cyber attacks by nation states and bad actors remains “widely underestimated” by the public, with policymakers increasingly looking to the (re)insurance market to promote and build cyber resilience.

Speaking at the Association of British Insurers’ inaugural cyber conference on Wednesday, Felicity Oswald, chief operating officer at the UK's National Cyber Security Centre (NCSC), warned that UK defences are not keeping pace with the threat of cyber attacks.

As the gap between threats and UK defences continues to widen, greater collaboration between industry, infrastructure, policymakers and the insurance market will be critical, Oswald said in a keynote speech.

“We believe the severity of the risk to the UK is unfortunately widely underestimated by the public, by business and by other organisations, and despite all of our efforts to improve collective cybersecurity, the gap between threats and our defences continues to widen.”

Oswald, who has been COO of the GCHQ entity since January 2023, highlighted Russia, China, Iran and North Korea as the leading nation states which pose a threat to critical national infrastructure (CNI) and businesses of all sizes in the UK.

“Russia continues to inspire non-state threat actors within its proximity to carry out cyber attacks on Western CNI, including via activities in Ukraine, but beyond that, too,” said Oswald.

“China remains a sophisticated threat actor in cyberspace. It has increasing ambition to project its influence beyond its borders, and both Iran and North Korea continue to act irresponsibly in cyberspace, posing a threat to the UK and our allies.”

But the common denominator across all organisations in the UK is cybercrime, particularly the threat posed by ransomware, which continues to be the most “immediate and disruptive threat” to many organisations, continued Oswald.

With global ransomware losses topping $1bn in 2023 and notable attacks on UK healthcare and financial services in 2024, Oswald noted that the disruption caused by a cyber attack has “deep implications” for affected organisations.

The UK insurance market continues to take a leadership position in promoting risk awareness and resilience but more needs to be done to ensure cyber threats are managed effectively by organisations, Oswald continued.

“The insurance sector has been at the cutting edge of industrial developments throughout its long history, and with the future of technology and growth so defined, it is more important than ever that the pace of our partnership across government and industry builds in both ambition and momentum,” Oswald said.

The executive, who also served as interim CEO of the NCSC between January and October 2024, flagged the sector’s role in promoting the UK’s Cyber Essentials, a government-backed certification scheme designed to promote best practice in cyber protection.

NCSC statistics indicate that organisations are 93 percent less likely to make a claim on cyber insurance than those organisations without Cyber Essentials.

Oswald continued: “I am keen that the NCSC and your industry work together to ensure that those organisations who are acting in good faith and doing what they can at the speed that is possible can still implement good cybersecurity measures.”