Cybersecurity insurance costs rise for municipalities as cases of ransomware attacks increase
Cybersecurity insurance costs are rising for local governments as incidents of cyberattacks continue to rise across the country.
The costs for communities to protect against such attacks have tripled in the past year, according to a municipal insurance expert.
“Cyber insurance costs have exploded in the past year, jumping about 200 percent,” said Paul Cornell, acting director of insurance services for the Pennsylvania Municipal League, a nonprofit that represents cities, districts, cantons, autonomous communities and cities. .
“Some of our members have seen their premiums go up significantly, and some are unable to purchase cyber insurance,” he said.
The FBI’s Internet Crime Complaint Center reported receiving 791,790 complaints in 2020 for all types of Internet crimes, representing a 70% increase from 2019. Reported losses during this period exceeded 4, $1 billion.
Lower Burrell previously had a general insurance policy which included cyber insurance. The board recently approved a separate one-year insurance policy that costs approximately $7,000.
The city has cut other insurance spending and the cost of the new cybersecurity policy is not expected to impact city finances this year, said Lower Burrell councilor Chris Fabry.
“No amount of insurance will prevent a cyberattack,” Fabry said. “We are looking to mitigate the damage should this occur.”
Lower Burrell continues to do its best to protect itself from all threats in the most “cost effective” way, Fabry said. “Just as covid has brought about a host of new costs, so has the ever-changing world of cybersecurity.”
In many cases, the cyber technologies that allow municipal governments to conduct more of their business online have outstripped protections, especially for smaller governments.
Many municipalities don’t have controls in place, such as multi-step authentication where a computer user enters two or more credentials to gain access to a system or website, Cornell said.
“Some communities are unwilling or unable to take such action,” he said.
There are communities that can’t buy cyber insurance because they don’t have the up-to-date IT systems, training or cybersecurity infrastructure to do so, Cornell said.
Ransomware holding information hostage
According to the FBI, ransomware attacks on local governments have disrupted operational services and caused public safety risks and financial losses. Local governments were the second most victimized group behind academia.
These attacks occur when a hacker gains access to files on a computer system and demands that a ransom be paid in the form of untraceable cryptocurrency in exchange for a “key” to unlock the files.
Butler Community College had to close for two days last year due to a ransomware attack. Nationally, the Colonial Pipeline, which supplies nearly half of the fuel consumed on the East Coast, paid $4.4 million to hackers who attacked the energy company with ransomware last year.
While the US government discourages institutions from paying a ransom, there is no law against it. The FBI notes that many organizations are making payments to restore service in a timely manner.
Why small governments?
In 2021, victims of local government agencies were mostly in smaller counties and municipalities, which is likely indicative of their cybersecurity resources and budget limitations, according to the FBI.
The ransomware actors, the majority of whom hail from Russian-speaking countries and Eastern Europe, do not target any particular industry or sector, said Jonathan Holmes, an FBI Supervisory Special Agent in Pittsburgh.
“Generally, these bad guys are looking for targets of opportunity,” he said.
If municipalities do not have offline backup and two-factor authentication and do not practice security measures, they are vulnerable to attack,” Holmes said.
The FBI cannot assess the volume of ransomware attacks against municipalities and others as accurately as it would like, as victims have been reluctant to report the cases.
New federal legislation this year requires companies that are essential to national interests to report ransomware.
Any municipality’s risk is based on its cybersecurity posture, Holmes said.
“Historically, smaller municipalities may not have the budget to implement some of the smaller security measures,” he said. “It’s an issue which means they could be vulnerable.”
With the prospect of ransomware attacks, Holmes said, municipalities face “a different risk calculus when working on their budget.”
“Do they have to pay extra funds for insurance or hire additional staff to secure their network and other measures?” he said.
Mary Ann Thomas is editor of Tribune-Review. You can contact Mary at 724-226-4691, [email protected] or via Twitter .