Cyber risks never seem to be far from the news these days, and evidence suggests that hackers and fraudsters have increased their activities during the pandemic. In particular, the widespread adoption of homeworking practices has led to many organisations encountering increased cyber risk exposure.
Recent cyber attacks on world famous brands such as Twitter and Manchester United have grabbed the headlines, but several local authorities have also suffered attacks during the pandemic, including at least two serious attacks that brought a significant proportion of the authorities’ online services to a standstill.
Attacks of this nature can shut down an authority’s day-to-day online activities – ranging from planning and licensing applications, online appointment bookings, social care advice and housing complaints, through to the authority’s ability to collect council tax and business rates.
These attacks can be hugely sophisticated, and unfortunately can have an impact even where an authority has resilient cyber security in place. However, what can an authority do to reduce its risk exposure? The first thing is to check the extent of existing cyber insurance. Insurance will not, of course, prevent a cyber attack happening, but can assist with a rapid response, and in particular in limiting the extent of damage that is caused by the attack.
Most authorities will hold cyber insurance in some form, but the risks covered, and the limits on what the insurers will pay, will vary widely. Another effect of the pandemic has been to shine a harsh spotlight on how widely insurance cover for apparently similar risks can vary. Business interruption is a key example, where there is a dizzying variety in policy wordings, especially the triggers for cover, which have left many organisations without cover for business interruption losses caused by the pandemic.
The level of cover available under many cyber policies is, in fact, fairly basic. A strong cyber insurance policy will cover an authority for:
- Its own losses – including the cost of restoring data and replacing damaged hardware, legal fees, lost revenue, fines and even extortion payments;
- Event response – including crisis management, the cost of utilising external IT expertise to minimise and repair the damage caused by the attack, and the cost of notifying affected individuals whose data may have been accessed; and
- Third party claims – including data breach claims, and claims where a virus has been transferred on to third parties.
Authorities should work with their brokers to ensure that their cyber insurance policy provides adequate cover for the level of losses they might suffer as a consequence of a cyber attack – it seems that one of the authorities who suffered an attack this year might have had uninsured losses of over £10m.
Robust cyber risk management is also of key importance. This can be tricky to achieve; the Ministry of Housing, Communities & Local Government has recently highlighted that there is currently no shared baseline against which councils can measure their cyber health. The MHCLG is, therefore, currently working on creating a framework to allow authorities to apply a minimum level of cyber health.
That framework is, unfortunately, not likely to be available for some time. In the meantime, the LGA website contains a lot of useful cyber security resource information, as does the website of the National Cyber Security Centre. Authorities who do not have the internal resource to enable comprehensive cyber risk assessment and risk management to be carried out could consider bringing in external expertise. Although this will, of course, come at a cost, that cost is likely to be a fraction of the financial impact of an avoidable cyber attack.