In an ever-changing world it is essential that public authorities keep pace with emerging risks to ensure their risk management strategies and insurance policies are fit for purpose. Growing areas of risk for public authorities include suretyship and staff absence, but perhaps, the most significant and rising risk facing public sector organisations is cyber threats.
Public authorities are the number one target for attacks in the UK, with recent reports suggesting that nearly 40% of malware attacks - surreptitious downloading of software to disrupt computer operations, gather sensitive information or gain access to private systems – are against public sector organisations. The public sector is five times more likely to be targeted for attacks than the media and finance sectors.
Recent high-profile attacks on local authorities include ransom demands, theft of email and home addresses and breaches in security and have heightened growing concerns about cyber threats. Indeed, at a recent engagement event YPO held with local authorities, protecting against cyber risk was identified as a top priority but it was clear that many do not fully understand this growing risk.
It’s the value of the personal data held by public authorities that makes them such an attractive and a highly prized target to cyber criminals. The consequences of a cyber attack have the potential to be considerable and can include business interruption, data loss, and the theft of intellectual property, significantly impacting both individuals and organisations.
In some circumstances the threat of a cyber attack will extend beyond a public authority. Significant risks remain through exposure from third parties, whether they are service providers, product suppliers or customers. Public sector organisations therefore need to improve supply-chain resilience to cyber attack, particularly in cases where they have smaller business partners who are typically less well protected.
So, what can public authorities do to protect themselves?
All businesses and organisations that handle and store personal data should ensure they have adequate and appropriate security measures in place to safeguard sensitive information and ensure they are sufficiently protected in the event of a cyber attack.
Cyber attacks can be rapid, highly damaging, and public, potentially leading to a decline in customer confidence. Banks, utilities, and other critical infrastructure firms are used to this kind of tail risk and are often regulated and run with it in mind. Many public authorities are not, however, and their risk management practices are geared around lower-level, slower moving risks that can be managed within the organisation.
In fact, tackling cyber risk from the perspective of managing and mitigating risk brings an interesting and unique perspective to the problem. Insurers can play a valuable role in helping authorities reduce cyber risk by promoting the adoption of good practice, as well as bringing innovative ideas and specialist expertise to help protect organisations.
It is important that public sector organisations are properly insured against cyber attacks, with research suggesting that many organisations overestimate the level to which existing insurance cover provides for cyber risk.
Insurance places a cost on cyber risk through the premium paid, and the prospect of a reduced premium then encourages organisations to take steps to mitigate the risk. For a growing risk such as cyber, this should be an important spur to action ahead of losses becoming a problem.
Insurance goes arm-in-arm with loss prevention. Insurers will help organisations reduce their losses by providing insight from claims and near misses across their client base. That information asset is of particular value for cyber risk, because cyber is a new risk and incidents often go unreported.
The UK’s first national insurance services framework, developed by YPO, Crown Commercial Service, ESPO and NEPO, has recently been updated, following demand from public authorities and now includes new and emerging risks, such as cyber attacks. In particular, the framework has identified those specialists best equipped to partner with public sector organisations to help manage and mitigate cyber risks.
The framework acts as an important gateway for insurance specialists wanting to do business with public sector organisations, ensuring these organisations are adequately protected against new and emerging threats, which could have potentially damaging consequences on both the short- and long-term operations of a public authority.