With cyber attacks on the public sector increasing in scale and volume, should an active model of cyber insurance be adopted?  

Earlier this month (12 September 2024), it was reported that a 17-year-old boy had been arrested on suspicion of offences under the Computer Misuse Act, linked to the Transport for London (TfL) cyber incident at the beginning of the month.

Clare Ruel

Clare Ruel 

Hackers allegedly gained access to 5,000 customers’ bank account details, prompting TfL to send advice letters to these customers communicating the bad news.

June 2024 also saw the NHS fall victim to a cyber attack, this time involving Russian ransomware group Qilin, which apparently exposed 400GB of sensitive information – including NHS numbers, dates of birth and descriptions of blood tests – on Telegram and the dark web.

The fallouts from this attack disrupted hospital and GP appointments after the hackers failed to secure a payout, with NHS England subsequently forced to cancel thousands of procedures.

These examples are just the tip of the iceberg, however, and cyber attacks on the public sector have become relentless – but why?

Claud Bilbao, regional vice president for underwriting and distribution at cyber specialist Cowbell UK, told me that “the healthcare sector has been an attractive target for cyber criminals” due to the amount of sensitive data it owns.

He added: “Cyber criminals have discovered that when this information is sold to adversaries on the dark web, it can be highly lucrative. This most recent cyber incident reminds us that it is not only the personal data that needs to be protected within the healthcare space, but the whole network infrastructure.”

Historically underfunded

I recently spoke to Lindsey Nelson, head of cyber development at CFC, who explained that because the public sector “has historically been underfunded,” this limits its ability to put “robust security protocols in place, despite best intentions”.

Compounding this problem are limited resources such as staff, large attack surfaces and the interconnected nature of services maximising the effects of an attack.

Therefore, Nelson agreed that “the public sector and critical national infrastructure” remain attractive targets to threat actors.

She added: “Coupled with that perceived ease of access, threat actors typically targeting this sector are more likely to do so because of political motivations.”

Political motivations in this context include hostile nation state or nation state-affiliated actors gaining control an infrastructure to cause disruption and public disorder.

The other impact Nelson noted involved causing disruption and “compromised citizen privacy” to “undermine confidence in public governance”. 

The size of these organisations also contributes to their attractiveness for threat actors – just in the 2023/24 financial year, TfL was allocated £565m from the Greater London Authority, while the NHS resource budget for the same period is £168.8bn.

Active insurance 

So, considering this limited funding across the public sector, do standard cyber policies provide do enough by simply providing indemnification?

Enter ‘active’ cyber insurance” – a term coined by MGA Coalition to describe risk prevention cyber policies that combine cyber security tools, incident response, digital forensics and insurance coverage.

Referring to the TfL incident as “low impact”, Tom Draper, Coalition’s UK head of insurance, said that the incident would still require funds to be reallocated. This, he said “will reduce available spend for key services and erode saved reserves”. 

Draper added: ”Active insurance enables all entities to reduce exposure to cyber events, which is even more relevant for public sector entities that lack the resources and additional capital available to private companies.”

For Si West, cyber advisory lead and director of customer engagement at cyber insurer Resilience, these sorts of policies have come a long way.

West said: “It is much more than just a policy that pays out, with the right insurance provider it can be a tool to conduct comprehensive risk assessments.”

Resilience, for example, offers a 24/7 claims hotline, privacy lawyers, digital forensics and crisis communication.

West believes this approach is “transforming the cyber insurance landscape” through data analytics and artificial intelligence (AI), while also refining the underwriting process.

“This evolution enables insurers to evaluate risks with greater precision and tailor policies to the unique requirements of individual businesses,” he added.

Active insurance’s focus on prevention as well as insurance could be incredibly useful to the increasingly at-risk private sector.

But, most importantly, the insurance industry must collaborate more deeply with the public sector to prevent sensitive data being exploited.