SIA cyber insurance plans
Published 17 February 2023
© Crown copyright 2023
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/sia-cyber-insurance-plans/sia-cyber-insurance-plans
1. Request
Does your organisation currently have cyber insurance or plan to invest in cyber insurance in the next 12 months?
If you have cyber insurance who is the policy with?
If you have cyber insurance when does the policy come up for renewal?
If you have cyber insurance what is the cost of your current policy or renewal?
2. Response
This information is exempt from disclosure under Section 31(3) of the Freedom of Information Act 2000. Section 31 of the FOIA relates to Law Enforcement, and Section 31(3) removes the public authority’s duty to confirm or deny whether information is held if to do so would or would be likely to prejudice law enforcement.
It is the SIA’s view that the confirmation or denial of the possession of information relating to the SIA’s cyber resilience, would be likely to compromise the SIA’s information security strategies by giving cyber criminals insight into vulnerabilities which may, or may not, exist.
Although the bona fides of the request may be genuine, FOI responses are public information and are made to the world. Section 31(3) is a qualified exemption, as such we have gone on to perform a public interest test in order to assess the public interest arguments for and against declaring whether or not the requested information is held.
In applying this exemption, we have had to balance the public interest in withholding the information against the interest in favour of disclosure.
Factors in favour of disclosure:
- Confirmation of possession would demonstrate a commitment to transparency with regard to the SIA’s undertakings, and could provide assurance that the SIA have robust IT infrastructure in place.
Factors in favour of withholding:
- Maintaining the integrity and security of the SIA’s systems.
- Preventing cyber-attacks and similar against the SIA’s systems.
- Revealing whether or not the information requested is held or applicable to the SIA would be likely to offer cyber criminals’ insight into not only the strengths of the SIA’s cyber security but also any potential weaknesses that may exist. This could ultimately result in a future cyber-attack. One of the reasons that cyber security measures are in place is to protect the integrity of personal and sensitive personal information.
- It is clear to see how the occurrence of a future cyber-attack would prejudice the SIA’s legal duty to safeguard personal information from loss, theft, inappropriate access, or destruction, which is why Section 31 has been employed in this case.
- A cyber-attack could have catastrophic consequences for SIA services for licence holders and applicants exacerbated by the dependence on these services at a time of a national emergency from Covid-19.
On balance the public interest in maintaining the exemption outweighs that in confirming or denying whether information is held and therefore the SIA neither confirms nor denies whether this information is held. In all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.
[Reference: FOI 0392]