There can be little doubt that the frequency and severity of cyber-attacks in the UK remains a major concern. According to the UK Government’s Cyber Security Breaches Survey 20202, almost half of businesses (46%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months. Like previous years, this is higher among medium businesses (68%), large businesses (75%) and high-income charities (57%)
The picture for local authorities in the UK is just as concerning. According to 2018 research3 based on Freedom of Information requests, over the past five years there have been 376 cyber security incidents – cases where there has been actual breach – and this has affected more than a quarter of councils.
The investigation revealed that 25 councils experienced one or more cyber security incidents resulting in the loss or breach of data.
The analysis also found that cyber-attacks on local authorities most commonly involve viruses and other malicious software, or phishing, where the perpetrator attempts to obtain sensitive information such as passwords.
Then of course, there are the ramifications that exposure to these risks can cause, such as business interruption, income loss, damage management and repair, and the possibility of reputational damage if IT equipment or systems fail or are interrupted.
Unfortunately, there can be a degree of uncertainly for risk managers as to what exactly their current insurance policies provide in terms of coverage. Specifically, whether you would be covered in the event of a cyber-attack on your organisation. And this remains a UK-wide issue. According to the Cyber Breaches survey, the charity findings show a rising of incidence, from 19% in 2018 (when charities were first surveyed) and 22% in 2019, to 26% in 20204.
Historically, from an insurance perspective, we have tended to look at coverage initially from the point of view of tangible assets, such as physical buildings, plants and machinery, with available extensions in the form of business interruption cover for loss of revenue.
And yet, the world is changing. Whereas historically, and rightly, a company or public authority’s focus would have been on its physical assets, in the 21st century there can be little argument that intangible assets – your information, your data, and your intellectual property – are just as important.
As we know, cyber-attacks can target any form of electronic information, so we are clearly not in the realm of tangible assets. Instead we are looking at a variety of scenarios, including loss or damage to data or software programmes; business interruption losses as a result of network downtime; or even cyber & data extortion demands where third parties threaten to damage or release data if money is not paid to them. We have moved from a tangible to an intangible risk.
For example, a party could hack into your computer systems and cause extensive damage, but if you haven’t taken out cyber insurance then you will not necessarily be covered for the consequences of such an attack. It is vital to ensure that your intangible assets are insured, but the good news is that cyber insurance market is developing to plug that gap.
You might think that your public liability (PL) insurance will insure you for the consequences of a cyber-attack, but PL in the traditional sense covers bodily injury or physical damage to a third party. From a cyber perspective, if something from a local authority causes non-physical damage to a third party, that will not be covered. In some respects, cyber insurance at the moment is like the directors & officers’ liability market was some years ago, with limited knowledge about what the product covers and why it is so important. And yet, with the scale and regularity of cyber-attacks in the UK increasing year on year, it is vital that you review the adequacy of your existing insurance and determine whether that will cover you in the event of an attack on your authority.