1. Does the Council record the number of cyber-attacks it receives?
2. If yes, how many did it receive in 2020-2022?
3. Does the Council record the total financial cost?
4. If it does record the number of cyber-attacks it receives, how many did it receive in 2021 and 2022?
5. Does the Council have a cyber-insurance policy?
6. Has your cyber-insurance premium increased in the last year?
7. What is the percentage increase in your cyber-insurance premium?
In response to questions 1-7, Devon County Council (DCC) can neither confirm nor deny that this information is held, in accordance with Section 31(3) of the Freedom of Information Act 2000.
The Council considers information relating to cyber attacks and cyber insurance to be exempt from disclosure under Section 31(1) (a) of the Freedom of Information Act 2000 – ‘Law Enforcement’ – ‘the prevention or detection of crime’. This is because disclosure places the organisation at risk of fraud and crime.
Our view is that this information constitutes valuable intelligence, which could be leveraged by a motivated cyber threat actor to inform a successful attack against our infrastructure. We feel that releasing this information would increase the chances of DCC becoming the victim of a cyber-attack. Attacks on IT systems are criminal offences. To provide information, or confirmation of information being held, might prejudice the prevention of crime by facilitating the possibility of an offence being carried out.
There is a very strong public interest in the effectiveness of law enforcement and the prevention of crime and although we appreciate that there is a general public interest in openness (because this increases public trust and engagement), this public interest should be weighed against a very strong public interest in safeguarding the security of Council networks and systems. Section 31 of the Freedom of Information Act 2000 states that there is a very strong public interest in protecting the law enforcement capabilities of public authorities.
We feel that significant weight should be applied to this public interest consideration given the current elevated cyber threat landscape facing public sector organisations. For these reasons we feel that the balance of public interest weighs in favour of withholding this information from disclosure.