Cybersecurity for Municipalities: Insurance, Trends and Best Practices
As if managing and running a municipality isn’t hard enough, local governments have recently been the target of an increasing number of cyberattacks, both in frequency and in the severity of ransom demands. Just a few examples we have seen include:
- “We won’t talk more, all we know is MONEY! Hurry up!” — this was the ransom note that confronted Baltimore officials in May 2019 when hackers crippled government computers. Officials refused to pay a $100,000 ransom and spent $18 million to recover from the damages.
- In March 2018, Atlanta was the victim of a ransomware attack in which anonymous hackers disabled online access, encrypted files, and demanded a $51,000 ransom in exchange for the decryption key to regain access to system files. City officials refused to pay and recovery from the attack cost the city $17 million and a week of offline services.
- Within the span of weeks, two municipalities in Florida paid $1.1 million to cyber-extortionists after a user mistakenly clicked on a malicious link in an email.
Local government networks are attractive targets for cybercriminals and particularly susceptible to cyberattacks mainly because of the vast amounts of sensitive data they possess – social security numbers, property tax information, and tax and voter records to name a few. And because of budget cuts and perpetual revenue shortfalls, municipalities are often less prepared to deal with an attack. Outdated technology and the lack of dedicated IT staff add to the problem.
To effectively mitigate risk, local bodies will want to employ both offensive and defensive strategies. To proactively manage risk, a municipal cybersecurity program consisting of the following best practices is a good start:
- Password management policy – minimum number of characters/symbols, changed regularly
- Multi-factor authentication – especially for remote access to municipal networks
- Encryption — lost or stolen laptops, USB drives and mobile devices that contain unencrypted data are a main cause of data breaches
- Education and training – one of the biggest risks in any organization are its own employees
- Data backup — keeping regular backups of their systems offsite is one of the easiest ways municipalities can protect their networks from ransomware
- Vendor management – due diligence on all third-party vendors that have access to any confidential data and that interact with municipal networks and systems
- Develop incident response plan and overall cybersecurity policies — consider using resources like the National Institute of Standards and Technology’s cybersecurity framework
One way that municipalities can further offset some of the risks and limit exposure is through cyber liability or cybersecurity insurance. It is important to note that cyber insurance is intended to complement, not replace, a municipal cybersecurity program. The policies can help cities and counties respond and recover, bring in cyber experts to evaluate the damage, and even help pay the ransom as a last resort.
In January 2021, a study from AdvisorSmith Solutions found that the average cost of cyber-insurance is $1,485 per year for companies with “moderate risks” and $1 million in company revenue. These premiums are based on liability limits of $1 million, with a $10,000 deductible. But be aware of the sub-limits on ransomware-related costs, which often can be as low as $25,000.
There is not a one-size-fits-all best practice for the amount of cyber insurance a municipality should procure, but with sufficient insurance and well-considered internal policies, local governments can minimize risk and concentrate instead on good governance, civic participation and community building.
The Coverage team at Teague Campbell has studied numerous types of policies and is available for advice and recommendations. If you have additional questions about cybersecurity or cyber insurance, reach out to a member of our Coverage team.