UK government departments show apathy towards cyber insurance
UK government departments and local councils indicate a disconcerting trend in their attitudes towards cyber insurance, with the majority revealing a lack of policy or even plans to embrace cyber insurance in the future. This is according to data from Apricorn, a leading provider of hardware-encrypted USB drives, which is informed by Freedom of Information (FoI) responses.
Out of 40 government departments and local councils, only Flintshire County Council confirmed they have existing cyber insurance in place. Nineteen reported that they did not have any cyber insurance, 13 withheld their information, and the remaining respondents did not reply to the FoI request. This absence of insurance is troubling given the potential financial implications and the risks to sensitive data in the event of a breach.
Compounding this, six of the responding bodies, including Her Majesty's Revenue and Customs (HMRC) and the Cabinet Office, disclosed that they have no plans to pursue cyber insurance. This apathetic stance towards cyber insurance implies that these departments are unable to factor such provisions into their annual budgets despite a breach potentially costing more.
Jon Fielding, Managing Director, EMEA at Apricorn said, "Though cyber insurance is not mandated, it's certainly a worthwhile investment given the value of the data housed by these government departments. The same FoI requests also revealed that UK councils reported nearly 1500 data breaches in 2022. The cost of recovery and response can far outweigh the cover itself and put public data at further risk of exposure. Insurance not only provides finance in the event of a breach but helps organisations focus on strengthening their cyber defences, meeting and adhering to compliance regulations."
Concurrently, annual research into data security practices amongst IT security decision-makers in the commercial sector showed that cyber insurance was a critical tool within their organisations. When asked what risks, if any, were most necessary to cover under any cyber insurance policy, unintentional insider threats were cited by 21% of participants, phishing attacks by 19%, ransomware attacks by 16%, and third-party attacks by 16%.
Fielding further noted that, "It's no surprise that insider threats are still a dominating concern when it comes to cyber risks. This makes it imperative for businesses to train and educate employees and ensure they limit risk, which also aids in complying with insurance policies. Given the real threat of a breach, the need for a robust backup process is also critical for a smoother recovery process."
Regarding tools and strategies to meet cyber insurance compliance, data backup was ranked highest by 28% of organisations, followed by regular patch updates 27%, employee training and awareness 25%, encrypted storage at rest 25%, password hygiene 23% and encrypted storage on the move 22%, with MFA, endpoint protection and others trailing behind.