Municipal Leagues Say Cities Must Get Cyber Insurance and Implement Best Practices

Kevin Howarth, Communications Manager

Cyber insurance is critically important for municipalities. With ransomware attacks attacking municipalities more than any other industry—even more than schools or healthcare organizations—a perfect storm exists as municipalities are also often the least-equipped to handle a cyberattack. Many municipalities do not even have the “basic basics” in place—multi-factor authentication (MFA), endpoint detection and response (EDR), and data backup.

Because of this situation, insurers increasingly see municipalities as uninsurable. Municipalities are facing several steep challenges as:

• Many insurers are refusing to serve municipalities
• Some are raising premiums to a very high level
• Most are tying lower premiums (or any premium at all) to a municipality implementing cyber best practices

To educate municipalities about this critical situation while also providing some tips on navigating the cyber insurance environment today, we talked to four insurance experts from our municipal league partners. The following questions were answered by:

• Stan Deese, Director of Risk Management Services, Georgia Municipal Association
• Doug Goforth, Deputy Executive Director, Kentucky League of Cities
• Kasi Koehler, Marketing Manager & Local Administration, Iowa Communities Assurance Pool
• Heather Ricard, Director of Risk Management Services, Municipal Association of South Carolina

Why is acquiring cyber insurance so problematic for municipalities right now?

Stan Deese: A few key reasons are making cyber insurance difficult for municipalities to acquire:

• Lack of quality underwriting data
• Lack of controls in place to protect data such as multi-factor authentication (MFA), patch management, and cybersecurity education/training
• Lack of dedicated funding to put proper controls in place
• A limited marketplace for public entity business
• Many cities contracting out IT services or using local IT companies
• Municipalities targeted for cyberattacks (such as the City of Atlanta)

Doug Goforth: Cyberattackers consider municipalities an easy target, and municipalities have competing demands for their often limited budgets. Historically, cybersecurity has not been a priority compared to all the other vital services that citizens expect.

Kasi Koehler: During 2020-2021, we saw some very large cyber claims related specifically to public entities. Some major ones included successful hacking at water treatment plants in Florida and San Francisco. The Colonial Pipeline ransomware attack, although not aimed at a public entity, still targeted an organization at the scale of a utility. Because of the critical services public entities provide combined with a municipality’s lack of cybersecurity understanding—and the threat exposure it presents—public entities are considered to be a very high-risk group.

Heather Ricard: During the last year, the cyber insurance market has hardened significantly. Due to the increased cyberattacks on municipalities such as the Oldsmar, Florida incident and the perceived lack of cyber controls municipalities have implemented, many commercial cyber carriers have exited the municipal cyber market. The lack of available insurance carriers has dramatically decreased the insurance limits offered, increased the premiums, and increased deductibles and self-insured retentions.

Talk about how this problem is compounded when municipalities lack a solid cybersecurity foundation.

Stan Deese: If/when a breach occurs, a lack of IT infrastructure could result in a municipality being “down” for a longer period of time if they don’t have the proper data backups in place. In this situation, it is more challenging to recover lost data. Also, identifying and notifying potentially affected parties could become a time-consuming process for municipal staff.

Doug Goforth: Insurance companies are asking more questions about a municipality’s current cybersecurity in place. They’re using that information to base decisions on whether they want to offer coverage (or continue to offer coverage) and what types of limits and deductibles they want to make available. It comes down to three questions for insurers:

• Will I provide coverage to a municipality?
• What coverage will I provide the municipality?
• What costs do I want to consider when providing a policy to municipalities?

Kasi Koehler: Carriers providing cyber insurance previously weren’t asking municipalities many questions such as, “Do you use MFA? How are your backups encrypted? What kind of passwords do you use? How did you come up with your password policy?” When you don’t ask, you don’t know what you don’t know.

Then, insurers started receiving large claims related to utilities and needed to ask questions related to these cyberattacks. Insurers determined that there was a huge lack of cybersecurity understanding in the municipal world and they clamped down, such as not providing any coverage for anyone that doesn’t have MFA.

Our pool has a group self-insurance program where we provide automatic coverage for cyber, but there are many programs that don’t provide it. If you don’t get into automatic coverage, then finding your own cyber insurance on an individual basis gets really difficult. And if you’re not doing simple best practices like MFA, you’re not going to get coverage at all. Carriers are very risk-adverse right now.

Heather Ricard: As commercial carriers continue to exit the market, municipalities should strengthen their cybersecurity controls in order to obtain cyber liability insurance. If a city doesn’t have a solid cybersecurity foundation in place, they face the possibility of an uninsurable risk.

What are the financial repercussions if municipalities become ineligible for cyber insurance—either through denied coverage or cost prohibitions?

Stan Deese: A municipality and its elected officials can experience significant operational and reputational damage. Without an insurance carrier providing cyber coverage, a municipality likely does not have access to experts such as breach counsel and forensics to help mitigate an attack. Although municipalities have immunity on state law claims in Georgia, we are not seeing claims resulting from liability. The claim costs are being incurred in relation to notification costs (such as event management) for which there is no immunity. Municipalities can expect business interruptions and extra expenses in the wake of a cyberattack.

Doug Goforth: Cyber claims are expensive. There are really three main components of a cyber claim:

1. The ransom component. In and of itself, this can be quite costly.
2. The recovery and restoration component. We’ve found from cyber claims that it will often take several months to recover, even if the data is recoverable. The recovery and restoration will often cost far more than a ransom. On top of that, you don’t want the same cyberattack to happen again, so you need to take preventative measures to shore up any cybersecurity gaps. You’ve already been a successful target, so somebody can turn around and immediately attack you again if you don’t put the proper defenses in place.
3. Reputational risk. We’ve seen reputational damage from high-profile cyberattacks that happened to large cities across the country. Local leaders don’t want to explain to residents why their 911 system doesn’t work. The aftermath of a cyberattack can range easily from several hundred thousand to well over a million dollars for this unbudgeted event.

Kasi Koehler: The financial repercussions start with a municipality’s need to get back to square one with their systems. Cyber breach coverage helps cover the cost of such activities. Our automatic limit is $250,000, with several members that jump up to $1 million. Costs include notifying those who could have been breached and anyone possibly compromised. To follow state rules, including cases where affected individuals moved to a different state, many legal documents must be filed depending on where people live. There are also other laws to follow after a breach.

That’s just the beginning. Municipalities also need to get their systems cleaned up. If any litigation arises from a municipality’s lack of systems oversight or keeping systems updated, a liability claim could result. While I haven’t yet seen a cyber liability claim or a municipality getting sued with the rationale of not doing what they were supposed to do from a cybersecurity best practices standpoint, I’m waiting for it to happen.

Heather Ricard: While the members of the Municipal Association of South Carolina’s insurance programs have not had many cyber liability claims, the largest expense for many of those claims has been the forensics investigation to determine how the breach started. For a minimal breach, the cost of forensics work has ranged between $40,000 to $75,000. For a complicated breach, that cost could be much more. If a claim required breach notification and credit monitoring, attorney assistance, and/or payment of ransomware, then the costs could be very high. If a city is uninsured, then all those costs would be borne by the city.

Given these challenges, how can municipalities make sure they can acquire cyber insurance for a price that’s as affordable as possible?

Stan Deese: The best chance a municipality has to secure broad and cost-effective coverage is to have the proper cybersecurity controls in place. The most important controls right now are:

1. Multi-factor authentication
2. Patch management
3. Daily backups
4. Isolating cloud backups
5. Recognizing and replacing unsupported software
6. Email scanning and filtering
7. Authenticating email
8. Remote desktop protocol
9. Encrypting sensitive information
10. Restricting administrative privileges

Doug Goforth: Municipalities need to make cybersecurity a priority in their annual budget process now. And it needs to stay there. They need to hire an IT expert. It can’t be someone who “knows something about computers.” They need to hire someone who can coordinate all their data and network security in one place. Whether it’s an individual(s) or a trusted provider, they can’t just turn it over to anyone.

Cybersecurity is a marathon, not a sprint. It may not be possible to become the Fort Knox of cybersecurity, but municipalities have got to at least get the basics completed and continue to evolve their process because cybercriminals also continue to evolve. We have to keep pace with them.

Kasi Koehler: Our recommendations for public entities include:

1. Multi-factor authentication for remote access, laptops, and privileged access.
2. Endpoint detection and response with 24/7 support.
3. If using Remote Desktop Protocol connections, then implementing VPN access only, setting up MFA for access, and enabling network level authentication.
4. Onsite and offsite data backups that are tested at least twice a year, encrypted, protected with antivirus, and able to be brought up within 24-72 hours.
5. Planning and training around incident response, business continuity, social engineering, phishing, fraud, and general cybersecurity training.
6. Proactive patch management (installing critical and high severity patches within 30 days of their release).
7. A plan or adequate measures in place to protect software at end of life.

Heather Ricard: In order to be considered for cyber insurance, municipalities should proactively assess their cyber controls and mitigate any vulnerabilities. At a minimum, cyber carriers expect cities to:

• Have multi-factor authentication in place
• Use Office 365 as well as o365 Advanced Threat Protection
• Pre-screen emails for malicious attachments and links
• Take at least monthly backups of key servers and data
• Use isolated backups that aren’t connected to the city networks
• Regularly test restoring backups
• Conduct regular phishing training

If a municipality doesn’t have those controls in place, then they may be ineligible for coverage or may incur higher premiums and/or deductibles.

In what ways is your municipal league helping members with cyber insurance?

Stan Deese: The Georgia Municipal Association is educating its membership through webinars, memos, and newsletter blasts that relate what we are seeing in terms of cybercrime, controls that need to be in place, and utilizing ARPA funds to pay for any needed security measures. We are looking into resources available through CISA and third-party vendors to assist our membership with implementing the recommended controls.

Georgia Interlocal Risk Management Agency (GIRMA) members have been receiving cyber coverage since 2011. Over the last 10 years, we have enhanced and improved our coverage as types of cybercrime have evolved. GIRMA makes grant monies available that can be used for cyber assessments and cyber protection services.

Doug Goforth: The Kentucky League of Cities (KLC) partnered with VC3 and the Department of Homeland Security (DHS) to provide free webinars and cyber training to our members. KLC Insurance Services (KLCIS) also recently offered a first of its kind $1 million Cybersecurity Preparedness Grant for insurance members to take care of cyber essentials. We’ve already given members over $500,000 toward meeting those goals.

Our strategic partner, VC3, is offering reduced pricing for a Cybersecurity Essentials Package for KLC Insurance Services members. Together, we’re really hoping to move the needle on putting members in a better cyber defensive position going forward.

Kasi Koehler: The Iowa League of Cities has an Manage Essentials that they endorse and provide for municipalities. It comes with security features and systems support that municipalities need. Our cyber risk team suggests this program to cities as a really good way to improve their cybersecurity. It’s a platform that gives carriers like us an opportunity to talk about cybersecurity at Iowa League events and educate member cities. Such a solution is less intimidating to them because the league endorses it, giving member cities the feeling that a simple service will take care of their needs.

Heather Ricard: The members of the Municipal Association of South Carolina-sponsored property and liability program, the South Carolina Municipal Insurance and Risk Financing Fund (SCMIRF), receive a limited amount ($100,000) of cyber coverage directly through SCMIRF. If a SCMIRF member city completes an application, and is approved, then SCMIRF will pay the cost of a commercial cyber liability policy that provides higher limits and coverage for first party losses, including forensics, notification, identity monitoring, breach coaching, data restoration, systems restoration, extortion costs, and business interruption.

The coverage also provides for third party coverage including defense expense, damages, pre-judgment interest, judgments, post judgment interests, settlements, and PCI assessments. The policy provides for $1 million liability expense coverage and a $5 million pool aggregate. No cyber eCrime loss coverage (such as fraudulent instruction, telephone fraud, and funds transfer fraud) is included.

In addition to insurance coverage, our loss control staff is working to identify a cyber assessment to allow members to assess (or use a 3^rd party to assess) their cyber controls. Our staff is also developing a grant to help cities remedy any deficiencies discovered during the assessment process. Finally, the SCMIRF program is providing a cyber liability table-top training exercise in August.

---

If you have questions or concerns about your municipality’s cyber insurance coverage, reach out to us through the form below.