Many local authorities and government departments lack policies or plans to adopt cyber insurance according to findings from FoI requests by hard drive manufacturer Apricorn.

Of the 40 government departments and local councils questioned, just one – Flintshire County Council – confirmed they have existing cyber insurance in place, 19 stated that they do not have any cyber insurance, 13 declined to share and the remainder did not respond to the FoI request.

Six of those that responded – including HMRC and the Cabinet Office – cited that they had no intention of seeking cyber insurance. Apricorn says the attitude towards cyber insurance suggests that these departments are not able to factor cyber insurance into the annual budget even though a breach could well prove more expensive.

Jon Fielding, managing director EMEA at Apricorn, said: “Though cyber insurance is not mandated, it’s certainly a worthwhile investment given the value of the data housed by these government departments. These same FoI requests unveiled councils within the UK have disclosed almost 1500 data breaches in 2022.

“The cost of recovery and response can far outweigh the cover itself and put public data at risk of being further exposed. That said, insurance is not simply about the cost of a breach but helps organisations focus on shoring up cyber defences to ensure compliance regulations are met and adhered to. It also allows for organisations to identify and implement the tools and back-up processes that can limit the chance of attack and enable full recovery should a breach occur.”

Meanwhile, separate findings from annual research into data security practices amongst IT security decision makers in the commercial sector, showed that cyber insurance within their organisations was a critical tool in their armoury. When asked what risks, if any, were most important to cover in any cyber insurance policy, insider threats (unintentional) were cited by 21%, phishing attacks by 19%, ransomware attacks, 16%, and third-party attacks, 16%.

In terms of tools and strategies organisations have incorporated into employee usage policies to meet cyber insurance compliance, data backup was ranked highest by 28%, followed by regular patch updates 27%, employee training and awareness 25%, encrypted storage at rest 25%, password hygiene 23% and encrypted storage on the move at 22%.

---