The ongoing disruption at Higham Lane School and a fresh data breach warning from Royal Borough of Kensington and Chelsea are reinforcing broker concerns about cyber resilience across UK public bodies and where insurance can, and cannot, absorb failure.
More than a week after a “serious cyberattack” at Higham Lane School in Nuneaton, the academy remains only partially open. The Department for Education has confirmed it is supporting the school, but there is still no date for a full return to in-person teaching.
The Central England Academy Trust has said the attack disabled not only IT systems but also electronic gates, fire alarms and electronic registers, extending disruption beyond teaching and into core operational safety.
The school incident follows a warning from Kensington and Chelsea Council that sensitive personal information may have been copied and taken during a cyberattack on shared local authority IT infrastructure late last year.
The council said small samples of accessed data suggest some of it was personal and sensitive, and warned residents that it could be used to make scams appear legitimate. People were advised to be cautious of unsolicited calls, messages or emails claiming to be from the council.
The incident also affected Westminster City Council and London Borough of Hammersmith and Fulham. Investigations are ongoing with the Metropolitan Police and the National Cyber Security Centre.
Brokers say the mechanics of the latest incidents are well-established across public-sector cyber claims.
Nathan Hankin, head of UK retail cyber & tech E&O at Aon, said the type of data exfiltration seen in recent cases is not unusual. Similar methods, he noted, have “also happened to many UK councils and other sites”.
For insurers, the concern is not novelty but repetition, the same failure patterns recurring across different public bodies.
Ethan Godlieb, associate partner – cyber, tech & fintech at Consilium, said the incidents highlight a persistent gap between cyber exposure and investment in prevention.
“I would actually say that spending on cyber prevention and security is paramount to looking after the children, patients or service users,” Godlieb said. “It isn’t separate from their core purpose; it’s part of it. Those two things go hand in hand.”
He added that while insurance and government-backed response frameworks can support recovery, they cannot compensate for structural weakness. “What these incidents reveal is that many institutions are still under-prepared in terms of infrastructure, backup strategies and broader security culture,” he said.
“Insurance and government schemes can help them respond when things go wrong, but they cannot fully compensate for weak systems, poor backups or a lack of cyber hygiene.”
For insurers and brokers, the latest incidents sharpen a familiar question: whether cyber cover is increasingly being asked to absorb failures of governance, resilience and prevention that sit outside traditional risk transfer.
As cyber disruption in education and local government becomes more visible, underwriting scrutiny is shifting toward fundamentals - identity controls, backups, system segregation and security culture - rather than incident response plans alone.
Where those foundations are weak, the challenge is no longer pricing the risk, but deciding whether it is insurable at all.
