The news that cyberattackers, allegedly backed by the Russian government, had hacked into US federal government agencies, as well as other businesses in the US and the UK has had a chilling effect on the cyber landscape.
North of the border, Canadian public entities have likewise had their fair share of cyberattacks over the course of the past 12 months, seen most recently in November when two cities in New Brunswick were besieged by malicious cyber actors. From a risk and insurance perspective, municipalities can be a unique cyber puzzle to solve.
“They have so many different operations that fall under the umbrella of a municipality – everything from taxes, where there’s a significant amount of PII and financial records, to municipalities that handle their own wastewater,” said Coalition’s Miki Ho. “You’ve also got police services that are sometimes picked up under the municipality umbrella, where again, that’s a very different type of exposure, and you’ve got a whole lot of sensitive information that could be subject to targeted attacks … When you put it all together, it’s a very unique type of cyber risk.”
An added challenge is that municipalities’ systems are often operating independently of one another, without centralized oversight. That can make it more complicated for municipalities to protect all of their units from cyberattacks, while also dealing with constrained budgets amid a fast-developing risk landscape, in which even well-funded cyber defences can struggle to keep up to date with threats.
Cyber actors may likewise target municipalities because these entities’ hands are tied when faced with a ransom.
“Municipalities have been the specific target of cyber criminals, knowing that if they can’t operate some of their technology, they need to make a quick decision of whether to pay or not pay a ransom,” explained Ho. “In many cases, they have decided to make that payment just to get back up and running.”
This is a problematic trend that has had an impact on many public and private organizations, with Beazley reporting that the total cost of ransom payments doubled year over year over the first six months of 2020, based on incidents reported to the insurer’s in-house breach response team.
In light of this risk environment, cyber insurance has become a top-of-mind discussion within the municipality sector.
“Take-up has been varied – many of the large municipalities have been openly discussing cyber insurance for a number of years, but we’re now seeing a lot of the smaller municipalities who are interested,” said Ho. “In terms of the risk management piece, I think municipalities have definitely been considering cyber in terms of needing to proactively manage that risk. Some have made in-house investments, some have outsourced functions, like employee awareness and phishing training. Most municipalities are taking steps to proactively train their employees about the risks.”
Yet, the budget piece can still be a struggle, especially when insureds want to gain access to both risk transfer mechanisms and tools to defend against cyberattacks in the first place. On that front, Coalition is providing a two-in-one solution that combines the risk transfer piece with risk management tools, helping policyholders get out in front of new threats.
“A lot of municipalities and other companies are really starting to think of insurance in a way that they haven’t in the past, which is, ‘let’s not just transfer that risk, but let’s look for a partner that can help us manage that risk as well,’” added Ho.