Rebecca recently joined us in 2024 as a Senior Content Writer and has experience researching and creating multimedia content. With a keen interest in current and emerging industry affairs, Rebecca responds through a critical lens and, by promoting thought and discussion, aims to increase awareness of UKGI’s work.
Low uptake of cyber insurance in local councils and Government departments, despite rising threats
Findings by Apricorn, a leading manufacturer of hardware-encrypted USB drives, reveal a concerning lack of cyber insurance across councils and government departments, despite an increase in ransomware, phishing, and insider threats. The findings indicate inadequate backup strategies and limited investment in cyber insurance across organisations, suggesting that the UK public sector lacks an understanding of the importance of cyber protection.
The findings, based on Apricorn’s annual Freedom of Information (FOI) request to councils and government departments across the UK, revealed that only two out of 41 local councils had cyber insurance policies: Flintshire County Council which adopted its policy in October 2022 and London Councils, whose policy covers the period 2021 to 2024. Two other councils, Ards and North Down Borough Council and Greater Manchester Combined Authority (GMCA), cited plans to invest in such policies in the next year.
Notably, some councils either did not respond to the survey, confirmed they had no cyber insurance, or admitted they had no plan to secure such policies soon. Meanwhile, Suffolk County Council responded that it had handled 334 breaches internally, raising concerns about its ability to cost-effectively recover from future incidents.
Arguably, public organisations face significant operational and financial risks due to a chronic lack of protection. In 2023, Apricorn’s Freedom of Information (FOI) request found 5000 data breaches occurred among 17 local councils. The risk is continuing to grow, with several councils reporting repeated cyber-attacks in recent months.
In relation to the findings, Apricorn's Managing Director, Jon Fielding commented "Local councils and government departments are responsible for large amounts of sensitive data and should lead by example by adopting stronger cyber insurance policies and more robust data protection measures."
The low uptake of cyber insurance in the public sector is a stark contrast to the private sector’s apparent recognition of the increasing need for cover. In separate research, Apricorn’s 2024 annual research shows 78% of surveyed IT security decision makers in the private sector have cyber insurance. Although only 28% trust that their policies would provide effective cover in the event of a breach.
Moreover, a combined 15% of respondents either have doubts about the adequacy of their cover (7%) or failed to secure financial assistance after making a claim (8%). More positively, 21% noted that they have cyber insurance in place but have not yet had to claim.
Fielding noted "Data breaches not only pose a financial threat but can severely disrupt operations. Yet, our research shows that many organisations are still failing to prioritise effective data backup strategies and appropriate insurance coverage."
Ransomware incidents are now recognised as a crucial risk requiring cover under insurance policies, with 31% of IT security professionals citing it as a key concern- a substantial increase from 16% in 2023. This is understandable, considering 31% of respondents cited ransomware as one of the leading causes of a data breaches within their organisation. Phishing attacks continue to pose a significant risk, increasing from 19% in 2023 to 23% in 2024, with third-party attacks and lost and stolen devices just behind at 13%.
As ransomware and phishing attacks become increasingly frequent and sophisticated, Fielding called on organisations to “ensure that they have a robust multi-layered approach to backups and security measures to recover swiftly from such incidents.”
The survey revealed organisations were increasingly reliant on backup strategies; 46% of respondents cited data backups as an essential tool to meet cyber insurance compliance requirements, up from 28% in 2023. It is likely that this is a result of so many failed recoveries; 33% of IT security decision makers admitted that full data recovery had failed following a breach due to inadequate backup processes.
Fielding pointed out that cyber insurance prompts "organisations to shore up their defences, ensuring better compliance with regulatory standards and promoting best practices in data security”.
He also emphasised the "urgent need for organisations, both public and private, to reassess their priorities, invest in better recovery strategies, and consider the benefits of cyber insurance in mitigating both financial and operational risks”.