Question to the Department for Science, Innovation & Technology:

To ask the Secretary of State for Science, Innovation and Technology, if she will take steps to align the National Cyber Security Centre’s Cyber Essentials certification with the insurance industry’s standards to protect organisations against cyber risk, starting with the inclusion of backups.

The government is engaging insurers and brokers to encourage clear, proportionate conversations about cyber risk and good cyber hygiene. Insurers typically take risk‑based approaches to underwriting and the government is encouraging the inclusion of fundamental cyber security measures, such as Cyber Essentials.

Data backups are a key part of the cyber incident response and recovery process and are critical to an organisation’s cyber resilience. The Cyber Essentials scheme focuses on defensive technical controls to prevent the most common cyber threats by stopping attackers gaining access. Data backup is not preventative, and therefore not a requirement for the scheme. However, the Cyber Essentials guidance makes clear that data backup is essential for recovery following a successful attack and strongly encourages organisations to implement a backup solution. The scheme is continually reviewed to ensure the controls remain appropriate and effective.