According to Techmonitor, 48 percent of London boroughs have invested in cyber insurance, leaving 17 boroughs vulnerable to a significant loss in the event of a cyberattack. In the beginning of 2020, Hackney council was the victim of a phishing attack, where confidential information was compromised and the council incurred losses of £10 million. A study conducted by Ispos Mori and is currently funded by The Department of Digital, Culture, Media, and Sport showed that cyberattacks have both short- and long-term effects, making it extremely difficult for policy makers to fully understand the cost of an attack.
Although local authorities have understandable budgetary limitations, this is very worrying news. Local councils are an enticing target for cybercriminals. And you only need to look at the devastation caused by the breach at Hackney council to see the consequences of a successful breach.
It’s clear there are two key areas in which local councils need more help. First, in implementing the right cybersecurity controls and practices to better protect themselves. Second, in being able to access cyber insurance to act as a ballast should the worst come to pass. Local authorities form a crucial part of the UK infrastructure and they need to be protected as such.
The increase in frequency and severity of ransomware attacks on businesses in the last couple of years has resulted in a significant tightening of the cyber insurance market. Cyber insurance premiums have increased markedly and the extent and level of cyber insurance coverage has decreased. Insurers have also changed tact and will only provide coverage to businesses who maintain a certain level of cyber security sophistication within their organisations. With cyber insurance no longer sufficiently protective or affordable in many cases, the most important risk mitigation exercise for companies in 2022 should be improving cyber security resilience and governance.
The full of extent and cost of a cyberattack is impossible to determine but there are ways in reducing the impact and cost. Cyber insurance is just as vital as business insurance but must not be relied upon in the same light, nor should it be the only antidote to mitigate a cyberattack. Many organisations view such hefty demand payments as part of the daily business but as a result some insurance companies push up their premiums which in turn make their services seem overpriced. Those who purchase cyber insurance often view it as a get out of jail card should the worst case scenario occur but it remains just another tool in the toolkit. Although insurance may be viewed as a last chance backup method in reactively protecting organisational data, it is still possible to proactively protect it by having the correct security in place initially such as patch management, up to date antivirus software and by conducting impromptu staff training.