Early last year, cybercriminals infected the city of Atlanta’s municipal operations systems with malware and demanded a ransom of approximately $50,000 in bitcoin to restore them.
When city officials did not immediately respond and the hackers removed the payment portal, rescinding the opportunity to fulfill the request, the recovery ended up far costlier than the initial demand: Expenses related to incident response, digital forensics, extra staffing, infrastructure expertise and crisis communications totaled nearly $2.7 million in emergency funds.
While Joe Caufield, chief underwriting officer at OneBeacon Government Risks, notes that the average public entities client is a fairly low-tech operation, don’t let that fool you or them into believing they’re safe from cyber risk. A 2017 survey by the International City and County Management Association found that 44% of local governments regularly face cyberattacks—but 28% do not know how often they are attacked, and a whopping 41% don’t know if their systems have actually been breached.
In particular, “the ransomware exposure is exploding” for public entities, says E. Stuart Powell, Jr., former vice president of technical affairs at the Independent Insurance Agents of North Carolina, whose sister corporation brokers insurance for the state.
“Local governments seem to be drawing a fair share of ransomware attacks,” Caufield agrees. “They definitely use computers in their operations, and certainly have servers and routine type of administrative systems now that are subject to these ransomware attacks.”
Unlike a data breach, where cybercriminals hack into systems in order to steal actual data and records, ransomware is a specific kind of cyberattack in which hackers lock up a victim’s systems so they can’t use or access it, then demand money in return for restoring the systems.
While municipalities hold personally identifiable information like tax records, “they’re not like a state or a university or a large retailer,” Powell says. “Cybercriminals are probably not as interested in stealing the data of cities and counties as they would be in something like a Target, and that makes ransomware a much more attractive criminal tool for cities and counties than data breach.”
The insidious genius of ransomware, Powell explains, is that “cybercriminals understand that the money for ransomware is easier and quicker than capturing all this data and trying to sell it on the dark web. They’ve figured out how to set these ransoms at a price that is cheaper than what it would cost you to fix the problem.”
Assuming a ransomware victim can even figure out how far back they’d have to go to get a clean backup to restore their systems on their own, the dilemma then becomes, “do I pay these guys $10,000 in ransom, or do I spend $25,000 fixing the problem?” Powell points out. “The problem with choosing to pay the ransom is, if you don’t get that software out of your system, what’s to stop them from doing it again six months from now?”
Coverage solutions are available that address ransomware but “the problem from a technical standpoint is that there aren’t any standard cyber forms yet, and agents are often as in the dark on this as their clients are,” Powell points out. “Figuring out exactly what your client’s exposure is, and then reading forms and finding which one is best—they don’t all do the same things and they don’t all do them the same way and they don’t all call them the same thing. It’s almost impossible to compare these forms until you know specifically what you want covered, and most clients don’t know what their specific exposures are.”
Powell expects standardization to hit the cyber market eventually, but it could take a while. “There’s a sort of known curve—we’ve been through this with other coverages like employment practices liability, where when it first becomes an issue, you have all these specialty forms coming out in the excess & surplus markets,” he says.
Then, “slowly but surely, the standard markets pick it up, and next thing you know ISO’s got a form out and the smaller markets are dealing with it,” Powell continues. “There’s certainly going to be that curve here, but I think what may be exacerbating the curve is the exposure keeps changing so fast that it’s hard to keep up with it. Cybercriminals are coming up with stuff faster than we can figure out what to do about it.”
Beyond that, “the take rate for cyber coverages and products remains low to moderate” among public entities, Caufield points out. “And that’s not for want of quite a few brokers trying—they do routinely offer it with p-c program renewals.”
Why aren’t more public entities biting? Caufield suspects it’s not necessarily because they’re not aware of the risk. Instead, “the IT manager at a local government would rather have the funds to adopt or adapt cybersecurity controls than buy insurance and essentially finance the loss,” he explains. “And if anything, that’s kind of what an underwriter wants to hear—‘We can’t afford insurance because we have to make sure we have the right protections in place to prevent the ransomware attack from happening in the first place.’”
“A lot of this is about risk management, because the primary objective should be to not have a claim,” Powell agrees. “If something happens, it’s nice to have insurance to help you pay for it, but the aggravation factor and the disruption to your business—there’s nothing the insurance company can do about that.”
Powell, a former pilot, knows firsthand the consequences of losing technology once you’ve become dependent on it. “Digital navigational equipment is just incredible today, but if it goes out and you’re in the air, you better be able to do it by compass and clock or you’re in trouble,” he points out. “Technology’s a wonderful thing, but when you lose it, it just is incredibly debilitating.”
Originally appeared on IAmagazine.com and is reprinted here with permission