Cyber Insurance for Municipalities

Why Municipalities Should Consider Cyber Insurance

One of the fastest growing ransomware targets for cybercriminal deplorables is municipalities. Yes, DEPLORABLES! Can you think of a term to better describe a group whose hobby is to ransom systems that run infrastructure around clean water, healthcare, and education among many other critical areas. 44% of global ransomware in 2020 targeted these local government entities according to Barracuda Networks. Why?

Outdated systems and stale technologies

Those in the local government space know that it can be like pulling teeth to get things approved. “Why are funds needed on improvements this year when we just allocated funds to this technology 5 years ago?! Is it broke!?”. Nope, but we sure are tempting fate and opportunity seekers from around the globe. Large municipalities can also have multiple departments with different policies and platforms that can leave the gate open.

Funding

Resources can be scarce when the list of needs is a mile long and the budget is tight. While the ransomware risk is high for municipalities so is the demand for funding toward other critical infrastructure and this is taken advantage of. Many state and local governments do not yet have a line item in the budget for Cybersecurity. School systems have been another popular target which goes along with the theme of strapped budgets that can’t keep up with their corporate counterparts in defending from cybercriminals.

History of paying up

Death by a thousand cuts. Local governments hit with debilitating ransomware attacks have paid their fair share of ransoms over the years. Maybe not huge sums by evening news standards but enough for the cyber criminals to come back to the low hanging fruit as they see it. The stake is not always the keys to the city infrastructure in exchange for a king’s ransom in bitcoin, but rather a hijacked email system and a promise of normal operations by tomorrow in exchange for a value in the low 5 figures. We don’t always know the details of such ransoms and if they were paid as it’s viewed as bad publicity and an embarrassment to City Hall. Some confirmed ransoms paid in Florida were Riviera Beach, FL paying 65 Bitcoin (~$600,000) and Lake City, FL paying $460,000.

Stick it to the man!

Hostile threats, some state sponsored, view any form of government in the U.S. as a worthwhile target. These attacks have cost U.S. governments billions of dollars over the years and that’s a good investment to some who like to see it. Local governments typically have vast amounts of information on voter rolls, tax information, social security numbers, and a load of other personal identifying information. Florida had the second most municipality cyber-attacks in 2020, followed only by Texas.

What can be done?

We recommend that municipalities look at their full spectrum cyber risk and take a three-pronged approach.

Education

A strong mandatory training program for all employees is often the first and best line of defense. Employees should be trained annually on the cyber threats ever present to them and the municipality. Many corporations and now some local municipalities have taken education a step further with their own fake phishing emails. These fake phishing emails bait employees and put the education to the test on who is reporting these to IT and who is wrongfully giving away their credentials. There’s some criticism with this technique but makes it clear whose skimming those yearly trainings. One thing is for certain, awareness through education reduces risk.

Strengthen defenses

Encrypted devices. Virtual Private Networks (VPN). Multi-Factor Authentication. Secure Email Gateway (SEG). Strong Password Management. Automatic Updates to Software and Operating Systems. These are all ways to stay ahead of bad actors in the cyber world and can also help in reducing Cyber Insurance premiums. These are not required defenses to get a Cyber Insurance Quote but help reduce risk which reduces premium.

Transfer Risk

As we’ve laid out, the risk is there and it’s substantial. An appropriate Cyber Insurance Policy can provide coverage that can transfer some of this risk for a premium. Cyber Insurance policies today can also assist with the latter two categories, Education and Defense strategies. The insurers don’t want to incur a loss so many have some of the best education and defense strategies for their insureds available. They also want to limit losses, so they have strong networks of forensic and recovery teams which is ultimately what the municipality needs to get back on their feet.