13 November 2024
Apricorn has announced new findings from its annual survey and FoI (Freedom of Information) requests, revealing a concerning disregard for cyber insurance across both public and private sectors.
Despite the escalating risks of ransomware, phishing, and insider threats, many organisations, including government entities, remain unprepared for cyber incidents, with inadequate backup strategies and a lack of cyber insurance coverage.
Cyber insurance offers a vital layer of protection in the wake of a breach, yet there is a persistent lack of understanding and investment, particularly in the public sector. In a series of Freedom of Information requests made to local councils and government departments across the UK, only two out of the 41 local councils questioned had a cyber insurance policy in place. Flintshire County Council which adopted its policy in October 2022 and London Councils, whose policy covers the period 2021 to 2024.
Additionally, only two others - Ards and North Down Borough Council and Greater Manchester Combined Authority (GMCA) - mentioned plans to invest in such policies within the next year. This leaves the vast majority of local authorities without sufficient cyber coverage, despite the high stakes.
A significant number of government bodies have either declined to answer, confirmed that they have no cyber insurance, or indicated that they do not intend to invest in cyber insurance in the near future. Despite this, Suffolk County Council, whom disclosed 334 breaches in the same request, noted that they manage cyber risks in-house, raising concerns about their ability to cost effectively recover from future incidents.
“Local councils and government departments are responsible for large amounts of sensitive data and should lead by example by adopting stronger cyber insurance policies and more robust data protection measures,” said Jon Fielding, Managing Director EMEA at Apricorn.
The lack of government uptake contrasts with the private sector's recognition of the growing need for insurance. According to separate findings from Apricorn’s annual 2024 research, 78% of IT security decision makers surveyed confirmed that they do have cyber insurance in place. Though it would seem that their trust in the insurance cover is not in line with its adoption rates with just 28% noting that they have cyber insurance in place and trust that they will be covered in the event of a breach.
A further 15% highlighted that they either have cyber insurance in place but are unsure that it covers them adequately in the event of a cyber breach (7%) or have cyber insurance in place and have been unsuccessful in claiming financial assistance (8%). Positively, 21% noted that they have cyber insurance in place but have not had to make a claim.
Ransomware attacks now rank as the most important cyber risk to cover in insurance policies, with 31% of surveyed IT security decision makers, identifying it as a key concern, a stark increase from just 16% in 2023. This is unsurprising given the same number (31%) noted that ransomware had been one of the main causes of a data breach within their organisation. Meanwhile, phishing attacks also continue to pose a significant risk, increasing from 19% in 2023 to 23% in 2024, with third-party attacks and lost and stolen devices not far behind at 13%.
The survey also found an increasing reliance on backup strategies, with 46% of respondents citing data backups as an essential tool to meet cyber insurance compliance requirements, up from 28% in 2023. This is likely a result of so many failed recoveries. In fact, a worrying 33% of IT security decision makers admitted they failed to completely recover data following a breach due to weak backup processes.
"Data breaches not only pose a financial threat but can severely disrupt operations. Yet, our research shows that many organisations are still failing to prioritise effective data backup strategies and appropriate insurance coverage,” said Fielding. "Ransomware and phishing attacks are only increasing in frequency and sophistication. Organisations need to ensure that they have a robust multi-layered approach to backups and security measures to recover swiftly from such incidents.”
Password hygiene (41%) and employee training and awareness (43%) are two further key strategies organisations now incorporate to ensure compliance with cyber insurance policies. These efforts, combined with encrypted storage (both at rest 35% and on the move 39%), regular patch updates (35%) and access controls (36%), are essential components of a robust cyber defence strategy.
"Cyber insurance is not just a safeguard for financial recovery; it encourages organisations to shore up their defences, ensuring better compliance with regulatory standards and promoting best practices in data security," said Fielding. "The findings from both the FoI requests and our annual survey underscore the urgent need for organisations, both public and private, to reassess their priorities, invest in better recovery strategies, and consider the benefits of cyber insurance in mitigating both financial and operational risks.”