Connecting state and local government leaders
More governments have cyber incident coverage than ever before, but the escalated risk of ransomware and cyberattacks means higher premiums, rising deductibles and greater scrutiny of security protocols.
It’s becoming increasingly expensive and difficult for municipal governments to insure themselves against cyberattacks.
The cost of cyber insurance has risen dramatically in recent years as hackers found city, county and state governments to be easy targets for ransomware attacks. But in addition to increasing premiums, experts say insurance carriers are changing other terms of coverage—lowering the total amount of coverage limits and requiring municipalities to meet higher security benchmarks to even qualify for coverage.
The cost of cyber insurance rose 300% this year for the Local Government Insurance Trust, a member-owned association that offers pooled insurance to 191 Maryland municipalities.
“For the coming year, we are expecting possibly even higher pricing with more limited coverage than we currently have,” said Executive Director Tim Ailsworth.
This year, the increase in cyber insurance costs were mostly absorbed by the pool, but if prices continue to climb it could lead to price hikes for participating municipalities, Ailsworth said. To help members better protect themselves from cyberattacks, Ailsworth said the trust is working with a cyber consulting firm that gives municipalities daily updates on cyber threats and provides coaching on best security practices and information on upgrading the security of computer networks.
Proliferation of Cyber Insurance
Cyberattacks that steal data or hold computer systems hostage for ransom are not a new threat to local governments, which have been targeted by hackers in a number of high-profile attacks in recent years. But hackers have grown more brazen in their exploits, even targeting police departments, and are increasingly demanding higher payouts to return stolen data.
To protect against the high costs related to such intrusions, more local governments have come to rely on cyber insurance, which can cover expenses associated with a data breach and recovery or, as has been seen in a number of recent cases, pay a ransom to get back stolen data or unlock a system.
A recent survey found that 90% of local governments have cyber insurance, up from 78% in 2020. But the survey, by the CompTIA Public Technology Institute, also found that 69% of local governments are paying higher cyber insurance premiums.
The Missouri Municipal Trust, a member-operated insurance pool that purchases cyber liability coverage for 93 small to mid-sized Missouri municipalities, is among those that saw prices rise in recent years, said Executive Director Matthew Brodersen. But this year, the limits on coverage also changed. The available limit for municipalities’ incident coverage dropped from $1 million to $250,000 and deductibles rose from $5,000 to $25,000, he said.
The changes worry him.
“If things continue to trend poorly, we might have to look at self-insuring the risk,” Brodersen said. “This is similar to the abandonment of public entities by commercial insurers in the late 1970s and early 1980s that caused pools to develop nationwide.”
Some carriers also plan to exclude ransom payments from their cyber coverage, meaning municipalities could get financial assistance to recover from a data loss but insurers would not pay money to satisfy a ransom, Ailsworth said.
The change would likely be welcomed by law enforcement—the FBI has long advised those in the private and public sector not to pay ransom to hackers, saying it “provides an alluring and lucrative enterprise to other criminals.”
Harder to Qualify
Insurance carriers are also requiring municipalities to demonstrate better security protocols for their IT systems in order to qualify for cyber insurance coverage.
“It used to be this coverage was kind of secondary coverage that was thrown in,” said Dave Grubb, executive director of New Jersey’s Municipal Excess Liability Joint Insurance Fund. “The underwriters are becoming increasingly demanding in terms of what a town has to do to show they will prevent these losses.”
Those precautions could be things like upgrading computer systems or software, conducting regular cybersecurity training for employees, or regularly backing up computer systems, he said.
Ailsworth said governments that previously answered four questions and could qualify for cyber incident insurance may soon be required to complete a security audit and complete a much longer questionnaire about security protocols in order to qualify. Those that do not could face higher deductibles.
Insurance experts applaud the changes, noting that if municipalities take steps to improve network security, they are less likely to fall victim to a cyberattack. But for governments that are unable to make the required upgrades, the changes could lead to loss of coverage.
“It’s not inconceivable in another year or two that unless a municipality or other entity, government or not, can show it’s dotting its I’s and crossing its T’s, that entity will be uninsurable,” Grubb said.
Andrea Noble is a staff correspondent with Route Fifty.