Government departments dismissing cyber insurance despite breaches in their thousands
November 2023 by Apricorn
Apricorn has announced further findings from FoI responses from local authorities and government departments into their cybersecurity practices. The results highlighted a worrying trend in their attitudes towards cyber insurance and a lack of policy or even plans to adopt cyber insurance in the future.
Of the 40 government departments and local councils questioned, just one (Flintshire County Council) confirmed they have existing cyber insurance in place, 19 stated that they do not have any cyber insurance, 13 declined to share and the remainder did not respond to the FoI request. The lack of insurance is worrisome considering the potential financial repercussions and the risks to sensitive data should this be breached.
To add to this, six of those that responded, including Her Majesty’s Revenue and Customs (HMRC) and the Cabinet Office, cited that they had no intention of seeking cyber insurance. The attitude towards cyber insurance suggests that these departments are not able to factor cyber insurance into the annual budget even though a breach could well prove more expensive.
“Though cyber insurance is not mandated, it’s certainly a worthwhile investment given the value of the data housed by these government departments. These same FoI requests unveiled councils within the UK have disclosed almost 1500 data breaches in 2022.
“The cost of recovery and response can far outweigh the cover itself and put public data at risk of being further exposed. That said, insurance is not simply about the cost of a breach but helps organisations focus on shoring up cyber defences to ensure compliance regulations are met and adhered to. It also allows for organisations to identify and implement the tools and back-up processes that can limit the chance of attack and enable full recovery should a breach occur”, said Jon Fielding, Managing Director, EMEA Apricorn.
In addition, separate findings from annual research into data security practices amongst IT security decision makers in the commercial sector, showed that cyber insurance within their organisations was a critical tool in their armoury. When asked what risks, if any, were most important to cover in any cyber insurance policy, insider threats (unintentional) were cited by 21%, phishing attacks by 19%, ransomware attacks, 16%, and third-party attacks, 16%.
In terms of tools and strategies organisations have incorporated into employee usage policies to meet cyber insurance compliance, data backup was ranked highest by 28%, followed by regular patch updates 27%, employee training and awareness 25%, encrypted storage at rest 25%, password hygiene 23% and encrypted storage on the move 22%, with MFA, endpoint protection and others trailing behind.
“It’s no surprise that insider threats are still top of mind when it comes to cyber risks and it’s great to see this is a key consideration for businesses. That said, it seems these same businesses also recognise that the likelihood of a breach is real and the need for a robust back-up process is critical in that event to allow for a smoother recovery process. Given the risks posed by insiders, the need to train and educate employees and ensure they limit risk is also essential to complying with insurance policies,” added Fielding.
The research was conducted by Censuswide with 201 IT security decision makers (manager level +) of large companies in the UK between 30.03.2023 – 03.04.2023. Censuswide abides by and employs members of the Market Research Society which is based on the ESOMAR principles and are members of The British Polling Council.