Cybersecurity insurance costs are growing for local governments as incidents of cyberattacks continue to surge across the country.
The costs for communities to protect themselves from such attacks have tripled in the past year, according to a municipal insurance expert.
“The costs of cyber insurance have gone wild in the last year, jumping about 200%,” said Paul Cornell, interim insurance services director of the Pennsylvania Municipal League, a nonprofit that represents cities, boroughs, townships, home-rule communities and towns.
“Some of our members have seen large increases in their premiums, and some are unable to secure cyber insurance,” he said.
The FBI’s Internet Crime Complaint Center reported it received 791,790 complaints in 2020 for all types of internet crimes, which is a 70% jump from 2019. Reported losses during that period exceeded $4.1 billion.
Lower Burrell previously had a general insurance policy that included cyber insurance. Council recently approved a separate one-year insurance policy that costs about $7,000.
The city reduced other insurance expenses, and the cost of the new cyber policy shouldn’t impact city finances this year, Lower Burrell Councilman Chris Fabry said.
“No amount of insurance will prevent a cyberattack,” Fabry said. “We are looking to mitigate the damages should one happen.”
Lower Burrell continues to do its best to protect itself from all threats in the most “cost-effective manner,” Fabry said. “Much like covid brought on a slew of new costs, so does the ever-evolving world of cybersecurity.”
In many cases, cyber technologies that allow municipal governments to conduct more of their business online have exceeded protections, especially for small governments.
Many municipalities don’t have controls in place, such as multistep authentication where a computer user inputs two or more pieces of information to access a system or an internet site, Cornell said.
“Some communities are unwilling or incapable of taking on such measures,” he said.
There are communities who can’t buy cyber insurance because they don’t have the updated computer systems, training or cybersecurity infrastructure necessary for it, Cornell said.
Ransomware holding information hostage
Ransomware attacks on local governments have disrupted operational services and caused risks to public safety and financial losses, according to the FBI. Local governments were the second-highest victimized group behind academia.
These attacks occur when a hacker gains access to a computer system’s files and demands a ransom be paid in the form of untraceable cryptocurrency in exchange for a “key” to unlock the files.
Butler Community College had to close down for two days last year because of a ransomware attack. At the national level, the Colonial Pipeline, which supplies nearly half the fuel consumed on the East Coast, paid $4.4 million to hackers who attacked the energy company with ransomware last year.
While the U.S. government discourages institutions from paying a ransom, there is no law against it. The FBI notes many organizations make payments to restore service in a timely fashion.
Why small governments?
In 2021, local government agency victims were primarily among smaller counties and municipalities, which likely is indicative of their cybersecurity resource and budget limitations, according to the FBI.
The ransomware actors, the majority of whom are from Russian-speaking countries and Eastern Europe, aren’t targeting any particular industry or sector, said Jonathan Holmes, a supervisory special agent with the FBI in Pittsburgh.
“In general, these bad guys are looking for targets of opportunity,” he said.
If municipalities don’t have an offline backup and two-factor authentication and are not practicing security measures, they are vulnerable to attacks,” Holmes said.
The FBI cannot gauge as accurately as it would like the volume of ransomware attacks on municipalities and others because victims have been reluctant to report the cases.
New federal legislation this year requires ransomware reporting from companies that are critical to national interests.
Any municipality’s risk is based on its cybersecurity posture, Holmes said.
“Historically, smaller municipalities might not have the budget to implement some of the smaller security measures,” he said. “That’s a problem that means they might be vulnerable.”
With the prospect of ransomware attacks, Holmes said, municipalities face a “different risk calculus when working on their budget.”
“Do they have to pay additional funds for insurance or hire additional personnel to secure their network and other measures?” he said.