CFC has gained NCSC assurance for a cyber incident exercise programme delivered directly by the insurer, placing insurer-led cyber preparedness services into sharper focus across the corporate cyber market.
The designation from the National Cyber Security Centre applies to CFC’s cyber incident tabletop exercise programme, which is included within its corporate cyber policy at no additional cost. The programme is managed through its in-house cyber risk management operations rather than outsourced to third-party providers.
The exercises are designed to test how organisations respond during cyber incidents, including executive escalation, internal communications, incident coordination and decision-making under pressure.
The NCSC’s assured Cyber Incident Exercising provider status is awarded to organisations meeting standards tied to the design and delivery of cyber incident exercises. Assessments cover whether scenarios are technically credible, based on current threat activity and structured around operational conditions organisations may encounter during cyber events.
The move continues CFC’s approach of integrating cyber risk management services into policy offerings rather than limiting cyber cover to post-incident claims response. In previous product launches, CFC positioned proactive cyber services and incident prevention tools as part of its underwriting model, including within its Cyber Proactive Response product for businesses with revenues up to £250 million.
That product included contractual access to cyber-attack prevention services, alongside coverage revisions and reduced exclusions.
Many insurers continue to rely on external cyber incident providers or accredited response partners. CFC’s own programme is intended to help brokers and policyholders address cyber preparedness before incidents occur.
“Cyber insurance shouldn’t start at the point of loss,” said Andrew Prendergast, head of global corporate cyber & tech at CFC. “Our focus is on helping clients well before an incident occurs. Many cyber claims are driven by human and organisational factors, which is why preparedness is so critical. Embedding NCSC assured tabletop exercises as standard within our corporate cyber policies is part of how we support brokers in delivering real value to clients, while helping organisations build confidence, resilience and real decision making capability.”
CFC said its tabletop exercise programme is also delivered in line with standards developed by CREST for incident exercising. CREST is an accreditation body covering cyber security and incident response providers.
CFC holds CREST CSIR accreditation across its major operating regions and manages around 4,000 cyber incidents annually through a global team of more than 200 cyber security engineers, incident responders and forensic specialists. CFC first obtained CREST accreditation in 2023.
Few insurers operate insurer-led cyber exercising programmes carrying both NCSC assurance and CREST accreditation. CFC is pursuing CREST Cyber Incident Exercising accreditation across additional regions.
“Effective cyber exercising has to reflect real world threats and pressure,” said Martin Heyde, managing director UK & global head of incident response at CFC. “Achieving NCSC assurance and CREST accreditation recognises the technical robustness of our exercise design and the way we integrate threat intelligence, response workflows and human decision making into each scenario.”
Broker conversations moving beyond policy wording
The insurer’s latest cyber announcement also follows recent efforts by CFC to provide industry-focused cyber education resources for brokers. CFC expanded its Cyber Masterclass programme with sector-specific modules covering industries including healthcare, construction, manufacturing, retail, hospitality, education, professional services and the public sector.
The programme was designed to help brokers discuss how cyber exposures differ across sectors, including ransomware disruption, payment system failures, supply chain vulnerabilities and funds transfer fraud.
The tabletop exercise programme forms part of its corporate cyber risk management services delivered within its cyber offering. Those services include real-time threat intelligence, zero-day vulnerability alerts and 24/7 deep and dark web monitoring through its global Security Operations Centre.
