Despite holding vast amounts of personal data on citizens which makes them a prime target for cybercriminals, fewer than half of London’s borough councils have cyber insurance to protect them in the event of a breach, new figures show. While experts say many councils choose not to insure against cybercrime, for others financial factors make taking out a policy impractical.
Following a Freedom of Information (FoI) Act request by cybersecurity company ProLion, 17 out of London’s 32 borough councils (52%) confirmed that they did not have a cyber insurance policy. The figure could be bigger, as five of the councils declined to say whether or not they had a policy in place, and two more did not respond to the request.
One council explained it did not have a policy because “[it] discovered the cyber insurance market remains very challenging and therefore difficult to obtain quotations, we are currently looking at both insurance and a cyber consultancy review including self-assessments as a solution to our cyber risks.”
“Organisations of all sizes and sectors are viable targets for opportunistic cybercriminals but the public sector is likely to hold more sensitive data, including Council Tax, medical records, and financial information," said Steve Arlin, VP for sales, UK, Americas and APAC at ProLion. "This might explain why they are a preferred target and more likely to pay any ransom demands.”
Hackney Council in London was hit with a cyberattack in October 2020, resulting in data being published online the following January. A recent audit report shows the attack could cost the council up to £10m, but despite this Hackney is one of the local authorities that does not have a cyber insurance policy in place, according to the FOI data.
“Ransomware brings with it a risk of reputational damage, productivity losses, and of course the cost of paying the ransom,” Arlin said. “But for an organisation such as a borough council, the risk of large volumes of sensitive personal data falling into the wrong hands means that it could face huge UK GDPR related fines as a result.”
Do local councils need cyber insurance?
With cyberattacks on the rise, Duncan Sutcliffe, a specialist broker at insurance business Sutcliffe & Co, says they should be treated like any other risk. "Office of National Statistics figures are now showing more cyber-enabled crime than all other crime combined," he says. "So it would be common sense to insure against cyber risks in the same way a local authority insures against other risks that are less common such as arson and burglary."
As was the case in Hackney, Sutcliffe says cyber breaches can be "absolutely catastrophic" in terms of disruption and financial losses. "A cyber policy can help with a lot of this by providing technical, legal and disaster management experts who can help find the problem, remove the problem, restore systems and data, handle legal and regulatory issues, handle PR and notification issues, communicate with data subjects and regulators and pay a long list of other costs and expenses," he says.
Why don’t London borough councils have cyber insurance policies?
There are two main hurdles when it comes to councils having cyber insurance; whether they want to purchase it and whether they are able to.
In the case of the former, Sutcliffe says that often councils don’t purchase cybersecurity insurance due to what he argues are “false perceptions”, such as whether they believe they are a target for cybercriminals, or believing their existing infrastructure is strong enough to handle an attempted breach.
There could also be an issue with different departments having different insights into the risk picture, Sutcliffe says. "The decision on buying cyber insurance is given to their IT department who might not have the same risk picture as other departments,” he explains.
A study conducted by Ipsos Mori and commissioned by the Department of Digital, Culture, Media and Sport (DCMS), found that cyberattacks had both short and long-term costs for organisations, making it difficult for decision-makers to truly understand the full cost of an attack.
In some cases, cyber insurance policies might not cover certain attacks or data breaches. Sutcliffe advises that exclusions could include viruses that were already on the system before cover was purchased, fraudulent bank or money transfers or replacement of hardware.
Are cyber insurance policy premium policies too high?
Budgets can also play a part; according to research published by Unison in August 2021, councils in England, Wales and Scotland faced budget deficits of nearly £3bn in the following financial year, meaning things such as cyber insurance policies have to be deprioritised in favour of other services.
For some local councils, particularly those who have already been victims of ransomware or other cyberattacks, the premium for a cyber insurance policy might be prohibitive.
"Cybersecurity insurance is a rapidly evolving and often misunderstood topic that businesses of all sizes increasingly must confront," says Bill Conner, CEO of cybersecurity business SonicWall. "Ransomware volume has jumped 232% globally since 2019, exponentially increasing the risk of doing business for any modern organisation."
Even as proactive organisations are doing their best to insure their data, products and business continuity, "insurance companies are struggling to predict the impact caused by modern cyber threats,” he continues. “The result all too often is that both rates and policy terms are wide-ranging, and because of the sheer volume of cyberattacks, compromised organisations are causing cyber insurance rates to increase for everyone."
Indeed, as reported by Tech Monitor, 98% of organisations surveyed by insurance company Marsh said their cyber premium rose in the year to February 2021.
Insurance companies, brokers and other service providers "are now exploring new and changing models for assessing cyber risk, often making it hard for businesses to predict or afford the costs of cyber insurance or to understand how terms and coverage limits will impact them if they are the victim of an attack,” Conner warns.
Adding to those challenges "is the fact that many victims of cyberattacks are repeat offenders, causing already unpredictable rates to spike, sometimes exponentially," Connor says.
This issue is currently under review by the DCMS. In its policy paper, '2022 cyber security incentives and regulation review', one of the areas the department is exploring is cyber insurance. It says: “Her Majesty’s Treasury will continue to work closely with the cyber insurance sector and explore how to make additional data available for use in modelling. DCMS’ policy focus on creating and sharing more robust cyber risk impact information will also contribute to this objective.”