- Councils report being hit by more than 263 million cyber-attacks in the first half of 2019, averaging 800 attacks per houri
- Average successful cyber-attack on a council results in costs of £430,000, a bill ultimately paid by taxpayers
- Just 13% of councils hold a standalone cyber insurance policy meaning that the vast majority of UK authorities are underprepared for the financial deficit caused by a cyberattack, which could set them back millions of poundsii
Freedom of information (FOI) requests by Gallagher found that out of the 203 councils that responded, 101 had experienced an attempted cyber-attack on their IT systems since 2017. More than a third (37%) of these local authorities had experienced cyber-attacks in the first half of this yeariii.
The councils admitted to experiencing 263 million attacks in the first six months of 2019, equating to almost 800 attacks every hour. A further 204 councils either declined the information request over security concerns, or failed to respond, suggesting the true number of attacks across all councils could be more than double this and exceed 500 million in the first half of this yeariv .
Since the beginning of 2017, 17 attacks were reported to have resulted in a loss of data or money. The financial impact of such attacks can be extensive, with one council reporting a loss of over £2 million.
The threat of heavy regulatory fines for data breaches has risen since the implementation of GDPR. Councils could represent prime targets for cyber-attacks due to their holding significant amounts of personal data, Gallagher warns that the threat of a big fine from the Information Commissioner’s Office (ICO) is also potentially looming.
Local authorities remain fundamentally exposed when it comes to adequate insurance cover. From the research undertaken, only 34 councils currently hold a cyber-insurance policy - equivalent to just 13% of councils - that protects them from a financial loss or loss of data. Looking specifically at councils that have been hit by a successful attack previously, just one even now holds a cyber-specific policy.
Commenting on the epidemic of cyber incidents, Tim Devine, Managing Director of Public Sector & Education at Gallagher, said: “Our research illustrates the scale of the challenge facing local authorities in the UK. Councils are facing an unprecedented number of cyber-attacks on daily basis. While the majority of these are fended off, it only takes one to get through to cause a significant financial deficit, a cost which the tax payer will ultimately foot. Costs and reputational damage at this scale can be devastating for public authorities, many of which are already facing stretched budgets. In many scenarios, the people responsible for purchasing cyber insurance products need decisions to be made at member, or management level. The cyber threat and the need for cover needs to be high on every local authority’s agenda.”
*About the research
The research cited in this release is based on freedom of information requests sent to 407 local authorities in the UK. At the time of writing 342 councils responded between 10 August 2019 and 18 September 2019, 65 had failed to respond within the 20 working days limit. There are 408 authorities however the Isles of Scilly Council was removed from the sample as it was deemed too small.
The answers are based on the responses of 203 councils that provided full responses to the answers and extrapolated to all councils across the UK to provide an average. 139 responded but did not provide adequate information or declined the request, a further 65 failed to respond within the 20 working day limit.
For further press information, please contact:
Andrew McLagan
Smithfield
Direct Line: 020 3047 2006
Mobile: 07817 998161
Julia Cooke
Smithfield
Mobile: 07900 227672
- i 76 councils reported experienced 262,843,502 cyber-attacks in January to June 2019, rounded up to 263 million. 262,843,502 divided by the number of hours in the first half of the year (4,343) gives the total of number attacks happening per hour – 60,521, Divide this by the number of councils affected (76) to get the instance rate per council, 796
- ii 34 councils out of 255 that responded to the cyber insurance question had a standalone policy, equating to 13%
- iii 76 out of 203 councils reported cyber-attacks between January and the end of June 2019 which equates to 37%
- iv 76 councils experienced 262,843,502 cyber-attacks between January and end of June 2019. Based on the incident rate of 37% another 75 councils (37% of the remaining 204 councils that didn’t respond to the FOI request) may potentially have been affected. If you apply the average number of attacks (3,458,467) to the other 75 councils, a further 259,385,025 attacks may have occurred but have not been reported