Half of London councils don’t have cyber insurance

More than half (52 percent) of London’s borough councils do not have a cyber insurance policy in place to provide support in the event they suffer a cyberattack on their IT systems.

The details emerged from a Freedom of Information (FoI) request by ransomware protection solution provider ProLion 

The FoI request last December to all 33 of London’s borough councils, including the City of London Corporation, found that 17 local authorities are not properly insured against the risk of a cyberattack.

The other 16 either did not respond: were unclear in their response or refused to say whether or not they have a cyber insurance policy in place, says ProLion. They cited Section 31 of the Freedom of Information Act which exempts the disclosure of information that could ‘prejudice the prevention or detection of crime’.

One council responded to say that the disclosure of information related to cyber insurance could lead to an increased risk by encouraging an attack. Others said that disclosure of such information would give cybercriminals insight into possible vulnerabilities, or embolden them to attack those most at risk.

Eight borough councils (24 percent) were ambiguous or unclear in their response to the FoI request. Three borough councils did not respond to the request at all.

Public sector a prime target

According to a report by the UK’s National Cyber Security Centre, almost half of all recorded UK cyber incidents between September 2020 and August 2021 targeted the public sector. In October 2020, Hackney Borough Council in east London suffered a serious ransomware attack which took many of its services and IT systems offline. The attack cost the council millions of pounds and data is still missing across many services.

Last month, the Information Commissioner’s Office ordered Hackney Borough Council to disclose information regarding what cybersecurity training its staff had received prior to the attack, when they were required to work from home due to the Covid19 pandemic.

“Ransomware attacks have continued to rapidly grow both in frequency and sophistication,” said Steve Arlin, VP sales, UK, Americas & APAC, ProLion. “The situation demanded action a long time ago, and the issue is now so large that businesses can’t afford to be reactive in their approach to cybersecurity.”

“Ransomware brings with it a risk of reputational damage, productivity losses, and of course the cost of paying the ransom. But for an organisation such as a borough council, the risk of large volumes of sensitive personal data falling into the wrong hands means that it could face huge UK GDPR related fines as a result.

“We would advise all organisations to bolster their defences with several layers of protection, and with multiple mitigations at each layer. It’s also wise to invest in the latest file protection solutions, as these can automatically block known ransomware signatures and files that have not been approved, while simultaneously monitoring users for any unusual behaviour. This is a vital final layer of cyber defence if all other security solutions fail.”

Increasing cost of cyber insurance

However, responding to the freedom of information request, a representative for one council explained: “We have discovered the cyber insurance market remains very challenging and therefore difficult to obtain competitive quotations, we are currently looking at both insurance and a cyber consultancy review, including self-assessments as a solution to our cyber risks.”

Arlin continued: “It’s no secret that a rise in ransomware attacks has brought on an increase in the price of cyber insurance in recent years. In fact, Sophos’ 2021 Guide to Cyber Insurance revealed that the average cost of cyber insurance has increased by 32 percent. The cyber insurance market is evolving at an extraordinary speed to keep pace with the growing volume and developing sophistication of attacks.”