- Councils report being hit by more than 263 million cyber-attacks in the first half of 2019, averaging 800 attacks per hour[i]
- Average successful cyber-attack on a council results in costs of £430,000
- Just 13% of councils hold a standalone cyber insurance policy meaning that the vast majority of UK authorities are underprepared for the financial deficit caused by a cyber-attack, which could set them back millions of pounds[ii]
Councils across the UK are facing unprecedented numbers of cyber-attacks, with nearly half (49%) of local councils being targeted since the start of 2017, according to Gallagher – one of the world’s largest insurance broking, risk management and consulting services companies.
Freedom of information (FOI) requests by Gallagher found that out of the 203 councils that responded, 101 had experienced an attempted cyber-attack on their IT systems since 2017. More than a third (37%) of these local authorities had experienced cyber-attacks in the first half of this year[iii].
The councils admitted to experiencing 263 million attacks in the first six months of 2019, equating to almost 800 attacks every hour. A further 204 councils either declined the information request over security concerns, or failed to respond, suggesting the true number of attacks across all councils could be more than double this and exceed 500 million in the first half of this year[iv].
Since the beginning of 2017, 17 attacks were reported to have resulted in a loss of data or money. The financial impact of such attacks can be extensive, with one council reporting a loss of over £2 million.
The threat of heavy regulatory fines for data breaches has risen since the implementation of GDPR. Councils could represent prime targets for cyber-attacks due to their holding significant amounts of personal data, Gallagher warns that the threat of a big fine from the Information Commissioner’s Office (ICO) is also potentially looming.
Local authorities remain fundamentally exposed when it comes to adequate insurance cover. From the research undertaken, only 34 councils currently hold a cyber-insurance policy – equivalent to just 13% of councils – that protects them from a financial loss or loss of data. Looking specifically at councils that have been hit by a successful attack previously, just one even now holds a cyber-specific policy.
Commenting on the epidemic of cyber incidents, Tim Devine, Managing Director of Public Sector & Education at Gallagher, said: “Our research illustrates the scale of the challenge facing local authorities in the UK. Councils are facing an unprecedented number of cyber-attacks on daily basis. While the majority of these are fended off, it only takes one to get through to cause a significant financial deficit, a cost which the tax payer will ultimately foot. Costs and reputational damage at this scale can be devastating for public authorities, many of which are already facing stretched budgets. In many scenarios, the people responsible for purchasing cyber insurance products need decisions to be made at member, or management level. The cyber threat and the need for cover needs to be high on every local authority’s agenda.”
i. 76 councils reported experienced 262,843,502 cyber-attacks in January to June 2019, rounded up to 263 million. 262,843,502 divided by the number of hours in the first half of the year (4,343) gives the total of number attacks happening per hour – 60,521, Divide this by the number of councils affected (76) to get the instance rate per council, 796
ii. 34 councils out of 255 that responded to the cyber insurance question had a standalone policy, equating to 13%
iii. 76 out of 203 councils reported cyber-attacks between January and the end of June 2019 which equates to 37%
iv. 76 councils experienced 262,843,502 cyber-attacks between January and end of June 2019. Based on the incident rate of 37% another 75 councils (37% of the remaining 204 councils that didn’t respond to the FOI request) may potentially have been affected. If you apply the average number of attacks (3,458,467) to the other 75 councils, a further 259,385,025 attacks may have occurred but have not been reported