As cyberattacks grow, cyber insurance is increasingly out of reach for many municipalities

You're reading Route Fifty's Public Finance Update. To get the latest on state and local budgets, taxes and other financial matters, you can subscribe here to get this update in your inbox twice each month. You can find a full archive of these newsletters here.

Welcome back to Route Fifty’s Public Finance Update! I’m Liz Farmer and this week I’m writing about cyber insurance amid a dramatic increase in ransomware attacks on governments.

Breaches of public entities and services are up 40% in the second quarter of 2023 compared to the first, according to a threat assessment by the tech company BlackBerry.

The increase comes on the heels of a rise in cyberattacks in 2022 as well. Third party-related ransomware attacks, in particular, increased by 136% last year and accounted for 52% of incidents, according to the most recent ForgeRock Identity Breach Report.

Health care and education accounted for more than half of the reported cyberattacks. One of the largest ransomware attacks of 2022 affected 2.5 million health care users, and a breach in an online record and grade tracking system hit more than 600 K-12 institutions, affecting 14 million students. The average cost of an incident in 2022 was $9.4 million, although it varies wildly from case to case.

This year has been worse, thanks to the string of cyberattacks in late May involving the file transfer software MOVEit. That breach, one of the largest in history, has so far affected more than 1,100 governments and companies and nearly 56 million people worldwide. The total estimated cost to organizations and individuals is more than $10 billion and climbing.

These breaches via a third-party service provider are quickly becoming one of the most troublesome cybersecurity issues for municipalities, says Fitch Ratings’ public finance cybersecurity expert Omid Rahmani.

“Whereas they used to be rare seven or eight years ago, this is becoming very typical,” Rahmani said recently on the Public Money Pod. “It’s proving to be a challenging nut to crack because you basically have to rely on somebody else’s security protocols.”

Cyberattacks on public entities such as governments, hospitals and universities are costly, often disrupt services, and can hurt an organization’s credibility with taxpayers and ratings agencies. And as cybersecurity costs have shot up, so too has cyber insurance—when it’s even an option. As breaches via third-party vendors continue to rise, many caution that governments need to recalibrate their approach to managing cyber risk.

Localities Deemed Riskiest by Cyber Insurers

Most state and local governments have cyber insurance, which helps reduce the financial risk associated with attacks. But that coverage is getting harder to secure and increasingly expensive—especially for municipalities.

According to a report by the actuarial and consulting firm Milliman, average annual cyber insurance premiums for localities nearly doubled between 2020 and 2021, and in some cases tripled. The new average rates for municipalities were exceedingly higher than other industries—as high as 12 times the base rate—and two of the 10 insurers reviewed did not offer coverage to municipalities at all. 

Meanwhile, coverage has shrunk and the requirements for coverage have become more stringent. Many insurers won’t cover a municipality until it demonstrates it has the proper cybersecurity controls in place, such as implementing encrypted data backup, multifactor authentication, data segmentation and password policies.

If a government can successfully implement these best practices, premiums could theoretically go down, noted Andrew Provines, author of the Milliman paper. But that would likely take several years, he wrote, adding that actuaries “typically [require] several years of data to have confidence (called “credibility”) that the best practices have been successful and that it is reasonable to expect lower loss activity to continue.”

These trends have led some to argue that the federal government should take a more active role in local government cybersecurity aid and recovery, similar to natural disaster air from the Federal Emergency Management Agency. After all, infrastructure critical to national security, such as power grids and drinking water, are largely controlled by local entities. The federal Cybersecurity and Infrastructure Security Agency does provide some grant funding for states and localities to use on cyber preparedness and training. Still, the total amount of $165 million over 10 years is equivalent to the cost of one cyberattack on a major hospital system last year.

Others have proposed that states get more directly involved in local government cybersecurity via the newly established federal State and Local Cybersecurity Grant Program. A study by Deloitte and the National Association of State Chief Information Officers suggests that states use their role as program administrator to take a more centralized approach to cybersecurity that would include facilitating information sharing with and training local governments on managing cyber risks. Arizona is one place that is already taking a whole-of-state approach by offering cloud-based security services to state and local agencies free of charge.

Mitigating Risk in Other Ways

Even as hackers get more sophisticated, most breaches are still caused by humans rather than technological vulnerabilities.

“Organizations are often breached because at least one workforce user’s account—an employee, contractor, partner, or supplier—within the organization itself becomes compromised through credential-stuffing attacks, an email phishing or SMS ‘smishing’ attack that tricks an employee into entering credentials at a spoofed domain, or other means,” the ForgeRock report said. 

“Implementing single sign-on and [multifactor authentication] to all internal and external systems and services, along with solid identity governance practices,” the report added, “can help secure organizations against data breaches due to unauthorized access.

For local governments, training and preparedness is a major gap. NASCIO reported that while 94% of state staff and contractors are trained yearly, just 41% are at the local level. (This gap is likely the reason that 61% of state governments said they will require cybersecurity training for local governments to be eligible for federal cybersecurity funds.) 

As for cyber attack response plans, a 2019 National League of Cities survey said that 75% of governments reported having a plan. But only two-thirds of them had reviewed the plan in the last year, an audit rate that Provines called troubling.

From a credit rating perspective, according to Fitch’s Rahmani, training and planning are some of the least expensive and most effective ways to mitigate risk—especially when technology is rapidly advancing.

“In a world where this risk is only going to become worse, recovery is going to be key. It’s like ‘Rocky,’” he said, referencing the iconic movie character created by Sylvester Stallone. “It’s not going to be about how hard you hit. It’s going to be about how hard you can get hit and keep going.”