A Freedom of Information (FOI) request suggests an absence of cyber insurance policies within local authorities and government departments.
The FOI that was submitted by 2023 by USB manufacturer Apricorn shows that of the 40 government departments and local councils questioned, just one – Flintshire County Council – confirmed they have cyber insurance in place. Nineteen stated that they do not have any cyber insurance, 13 declined to share and the remainder did not respond to the FoI request.
Six of those that responded, including HMRC and the Cabinet Office, said they had no intention of seeking cyber insurance.
Apricorn described the lack of insurance as “worrisome considering the potential financial repercussions and the risks to sensitive data should this be breached.”
It added that the attitude towards cyber insurance suggests “that these departments are not able to factor cyber insurance into the annual budget even though a breach could well prove more expensive.”
If you liked this content…
Cyber insurance “a critical tool”
“Though cyber insurance is not mandated, it’s certainly a worthwhile investment given the value of the data housed by these government departments. These same FoI requests unveiled councils within the UK have disclosed almost 1500 data breaches in 2022,” said Jon Fielding, managing director, EMEA at Apricorn.
“The cost of recovery and response can far outweigh the cover itself and put public data at risk of being further exposed. That said, insurance is not simply about the cost of a breach but helps organisations focus on shoring up cyber defences to ensure compliance regulations are met and adhered to. It also allows for organisations to identify and implement the tools and back-up processes that can limit the chance of attack and enable full recovery should a breach occur.”
In addition, separate findings from Censuswide into data security practices among IT security decision makers in the commercial sector, showed that cyber insurance within their organisations was a critical tool in their armoury. When asked what risks, if any, were most important to cover in any cyber insurance policy, insider threats (unintentional) were cited by 21 percent, phishing attacks by 19 percent, ransomware attacks, 16 percent, and third-party attacks, 16 percent.
In terms of tools and strategies organisations have incorporated into employee usage policies to meet cyber insurance compliance, data backup was ranked highest by 28 percent, followed by regular patch updates 27 percent, employee training and awareness 25 percent, encrypted storage at rest 25 percent, password hygiene 23 percent and encrypted storage on the move 22 percent, with MFA, endpoint protection and others trailing behind.
“It’s no surprise that insider threats are still top of mind when it comes to cyber risks and it’s great to see this is a key consideration for businesses. That said, it seems these same businesses also recognise that the likelihood of a breach is real and the need for a robust back-up process is critical in that event to allow for a smoother recovery process. Given the risks posed by insiders, the need to train and educate employees and ensure they limit risk is also essential to complying with insurance policies,” said Fielding.
