There can be little doubt that the frequency and severity of cyber-attacks in the UK remains a major concern. According to the UK Government’s Cyber Security Breaches Survey 20202, almost half of businesses (46%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months. Like previous years, this is higher among medium businesses (68%), large businesses (75%) and high-income charities (57%)
The picture for local authorities in the UK is just as concerning. According to 2018 research3 based on Freedom of Information requests, over the past five years there have been 376 cyber security incidents – cases where there has been actual breach – and this has affected more than a quarter of councils.
The investigation revealed that 25 councils experienced one or more cyber security incidents resulting in the loss or breach of data.
The analysis also found that cyber-attacks on local authorities most commonly involve viruses and other malicious software, or phishing, where the perpetrator attempts to obtain sensitive information such as passwords.
Then of course, there are the ramifications that exposure to these risks can cause, such as business interruption, income loss, damage management and repair, and the possibility of reputational damage if IT equipment or systems fail or are interrupted.
Unfortunately, there can be a degree of uncertainly for risk managers as to what exactly their current insurance policies provide in terms of coverage. Specifically, whether you would be covered in the event of a cyber-attack on your organisation. And this remains a UK-wide issue. According to the Cyber Breaches survey, the charity findings show a rising of incidence, from 19% in 2018 (when charities were first surveyed) and 22% in 2019, to 26% in 20204.
Historically, from an insurance perspective, we have tended to look at coverage initially from the point of view of tangible assets, such as physical buildings, plants and machinery, with available extensions in the form of business interruption cover for loss of revenue.
And yet, the world is changing. Whereas historically, and rightly, a company or public authority’s focus would have been on its physical assets, in the 21st century there can be little argument that intangible assets – your information, your data, and your intellectual property – are just as important.
As we know, cyber-attacks can target any form of electronic information, so we are clearly not in the realm of tangible assets. Instead we are looking at a variety of scenarios, including loss or damage to data or software programmes; business interruption losses as a result of network downtime; or even cyber & data extortion demands where third parties threaten to damage or release data if money is not paid to them. We have moved from a tangible to an intangible risk.
For example, a party could hack into your computer systems and cause extensive damage, but if you haven’t taken out cyber insurance then you will not necessarily be covered for the consequences of such an attack. It is vital to ensure that your intangible assets are insured, but the good news is that cyber insurance market is developing to plug that gap.
You might think that your public liability (PL) insurance will insure you for the consequences of a cyber-attack, but PL in the traditional sense covers bodily injury or physical damage to a third party. From a cyber perspective, if something from a local authority causes non-physical damage to a third party, that will not be covered. In some respects, cyber insurance at the moment is like the directors & officers’ liability market was some years ago, with limited knowledge about what the product covers and why it is so important. And yet, with the scale and regularity of cyber-attacks in the UK increasing year on year, it is vital that you review the adequacy of your existing insurance and determine whether that will cover you in the event of an attack on your authority.
Risk Management Partners Limited is the data controller of any personal information you provide to us or personal information that has been provided to us by a third party. We collect and process information about you in order to arrange insurance policies and to process claims. Your information is also used for business purposes such as fraud prevention and detection and financial management. This may involve sharing your information with third parties such as insurers, reinsurers, other brokers, claims handlers, loss adjusters, credit reference agencies, service providers, professional advisors, our regulators, police and government agencies or fraud prevention agencies.
We may record telephone calls to help us monitor and improve the service we provide. For further information on how your information is used and your rights in relation to your information please see our privacy notice at https://rmpartners.co.uk/privacy-policy. If you are providing personal data of another individual to us, you must tell them you are providing their information to us and show them a copy of this notice.