Cyber Attacks

1. Has the council experienced an attempted cyber-attack in 2019? Please answer yes or no. – we neither confirm or deny that this information is held in accordance with Section 31(3) of the Freedom of Information Act 2000.

We believe that information relating to any attempted cyber-attacks which the Council may or may not have experienced is exempt from disclosure under Section 31(3) of the Freedom of Information Act 2000 – ‘Law Enforcement’. This is because disclosure places the organisation at risk of fraud and crime. Such systems hold information about individuals and, therefore, the possible chain of events resulting from releasing this information could put individuals, and authorities, at risk of criminal activity.

Confirming or denying whether information is held on cyber-attacks and what remedial measures may or may not have been taken could aid malicious parties by encouraging further attacks. Attacks on IT systems are criminal offences, so to provide information or confirmation of information being held might prejudice the prevention of crime by facilitating the possibility of an offence being carried out. There is a very strong public interest in the effectiveness of law enforcement and the prevention of crime.

Although DCC appreciates that there is a general public interest in openness (because this increases public trust and engagement), this public interest should be weighed against a very strong public interest in safeguarding the security of Council specific systems. Indeed, it can be held as not in the interests of an individual council to provide information about the number of attacks that may or may not have been made against its IT systems as this could enable individuals to deduce how successful the council is in detecting these attacks and incurring this risk can be deemed not in the public interest.

Section 31 of the Freedom of Information Act 2000 states that there is a very strong public interest in protecting the law enforcement capabilities of public authorities.

2. How many attempted cyber-attacks has the council experienced in 2019 (up to 30.06.2019), 2018 (full year) and 2017 (full year)? – we neither confirm or deny that this information is held in accordance with Section 31(3) of the Freedom of Information Act 2000, please see our response to question (1) above.

3. Has the council experienced a cyber-attack in 2019 that resulted in a loss? Please answer yes or no. – we neither confirm or deny that this information is held in accordance with Section 31(3) of the Freedom of Information Act 2000, please refer to our response to question (1) above.

4. How many cyber-attacks has the council experienced in 2019 that resulted in a loss (up to 30.06.2019), 2018 (full year) and 2017 (full year)? – we neither confirm or deny that this information is held in accordance with Section 31(3) of the Freedom of Information Act 2000, please refer to our response to question (1) above.

5. Please state the cost to the council of the cyber-attacks that the council experienced in 2019 (up to 30.06.2019), 2018 (full year) and 2017 (full year) – we neither confirm or deny that this information is held in accordance with Section 31(3) of the Freedom of Information Act 2000, please refer to our response to question (1) above.

6. Does the  Council purchase insurance via an insurance broker?  Please answer yes or no. – Yes

If so, from whom? – Arthur J Gallagher

7. For the year 2018/19, does the Council purchase Cyber Insurance?  Please answer yes or no. – Yes.

If so, what is the name of the insurer? – Ascent Underwriting

8. Please state the premium spend of the insurance product – £46,540 + IPT

9. Please state the job title and level/banding for the person who is responsible within the Council for purchasing these insurance products – Corporate Insurance Manager, Grade H, Salary range £36,876 to £40,760.