Government says no to cyber insurance

​

Despite the increasing number of cyber breaches, Government departments indicate that they have no intention of adopting cyber insurance policies in the future, according to the findings from Freedom of Information (FoI) requests from Apricorn (www.apricorn.com).

FoI responses from local authorities and government departments into their cybersecurity practices highlights a worrying trend.  Of the 40 government departments and local councils questioned, just one (Flintshire County Council) confirmed they have existing cyber insurance in place, 19 stated that they do not have any cyber insurance, 13 declined to share and the remainder did not respond to the FoI request.  The lack of insurance is worrisome considering the potential financial repercussions and the risks to sensitive data should this be breached.

To add to this, six of those that responded, including Her Majesty’s Revenue and Customs (HMRC) and the Cabinet Office, cited that they had no intention of seeking cyber insurance. The attitude towards cyber insurance suggests that these departments are not able to factor cyber insurance into the annual budget even though a breach could well prove more expensive.  

“Though cyber insurance is not mandated, it’s certainly a worthwhile investment given the value of the data housed by these government departments.  These same FoI requests unveiled councils within the UK have disclosed almost 1,500 data breaches in 2022,” says Jon Fielding, Managing Director, EMEA, Apricorn.

“The cost of recovery and response can far outweigh the cover itself and put public data at risk of being further exposed.  That said, insurance is not simply about the cost of a breach but helps organizations focus on shoring up cyber defences to ensure compliance regulations are met and adhered to.  It also allows for organizations to identify and implement the tools and back-up processes that can limit the chance of attack and enable full recovery should a breach occur.”

Cyber insurance is seen as a critical tool in the cybersecurity armoury according to Apricorn’s annual research into data security practices amongst IT security decision makers in the commercial sector.  When asked what risks, if any, were most important to cover in any cyber insurance policy, insider threats (unintentional) were cited by 21%, phishing attacks by 19%, ransomware attacks, 16%, and third-party attacks, 16% of respondents.

In terms of tools and strategies organizations have incorporated into employee usage policies to meet cyber insurance compliance, data backup was ranked highest by 28%, followed by regular patch updates 27%, employee training and awareness 25%, encrypted storage at rest 25%, password hygiene 23% and encrypted storage on the move 22%, with MFA, endpoint protection and others trailing behind.

“It’s no surprise that insider threats are still top of mind when it comes to cyber risks and it’s great to see this is a key consideration for businesses.  That said, it seems these same businesses also recognise that the likelihood of a breach is real and the need for a robust back-up process is critical in that event to allow for a smoother recovery process.  Given the risks posed by insiders, the need to train and educate employees and ensure they limit risk is also essential to complying with insurance policies,” comments Fielding.