1. Cyberattacks:
Please confirm whether your council has experienced any cyberattacks during this period. If so, for each year, please provide:
The number of incidents.
The type of cyberattack(s) (e.g. phishing, ransomware, DDoS).
The duration and severity of any service disruption caused.
The total cost incurred per incident (including recovery, legal fees, consultancy, fines, etc.).
2. Cybersecurity and Related Spending:
For each of the years 2023, 2024 and 2025, please provide:
a) Total annual spend on cybersecurity (including systems, software, and third-party providers).
b) Annual cost of cyber insurance policies (if applicable).
c) Any compensation paid to individuals or businesses as a result of cyberattacks or data breaches.
In response to questions 1 and 2, Devon County Council can confirm that we hold the information you have requested. However, we consider this is exempt from disclosure under Section 31(1)(a), the prevention or detection of crime, of the Freedom of Information Act 2000.
This is because the Council considers that this information constitutes valuable intelligence, that could be leveraged by a motivated cyber threat actor to inform a successful attack against our infrastructure. We feel that releasing this information would therefore increase the chances of Devon County Council becoming the victim of a cyber-attack.
We have considered the public interest in releasing this information. While we recognise that there is a public interest in openness and transparency, we feel that there is a stronger public interest in the Council maintaining the security and integrity of it’s IT systems. We feel that significant weight should be applied to this public interest consideration given the current elevated cyber threat landscape facing public sector organisations. For these reasons we feel that the balance of public interest weighs in favour of withholding this information from disclosure.