Cyber insurance is critically important for municipalities. With ransomware attacks targeting municipalities more than any other industry — even more than schools or healthcare organizations — a perfect storm for major disruptions exists since municipalities are also often the least-equipped to handle a cyberattack. Many municipalities don’t even have basic cyber security measures in place — multifactor authentication, also known as MFA; endpoint detection and response, or EDR; and data backup.
Because of their vulnerabilities to cyber attack, insurers increasingly see municipalities as uninsurable. Municipalities are facing several steep challenges when seeking cyber insurance:
- Many insurers are refusing to serve municipalities.
- Insurers are raising premiums to a very high level.
- Most insurers are tying lower premiums, or any premium at all, to a municipality implementing cyber best practices.
Below are questions and tips for municipal officials to consider when navigating the cyber insurance environment.
Why is acquiring cyber insurance so problematic for municipalities right now?
In the last year, the cyber insurance market has hardened significantly, which means that premiums are increasing and the number of insurance carriers is decreasing. At the same time, there have been increased cyberattacks on municipalities, such as the 2021 incident in the City of Oldsmar, Florida, where a hacker attempted to poison the city’s water by dangerously increasing the quantity of lye in the water. Insurers have also perceived that many municipalities have failed to implement cyber controls.
Between all of these issues, many commercial cyber carriers have left the municipal cyber insurance market. The lack of available insurance carriers has dramatically decreased the insurance limits that are offered, increased the premiums, and increased deductibles.
Given these challenges, how can municipalities make sure they can acquire cyber insurance for a price that’s as affordable as possible?
In order to be considered for cyber insurance, municipalities should proactively assess their cyber controls and mitigate any vulnerabilities. At a minimum, cyber carriers expect cities to take these steps:
- Have multifactor authentication in place.
- Use Microsoft Office 365 as well as Office 365 Advanced Threat Protection.
- Pre-screen emails for malicious attachments and links.
- Back up key servers and data at least monthly.
- Use isolated backups that aren’t connected to the city’s network.
- Regularly test restoring data and information backups.
- Conduct regular phishing training.
If a municipality doesn’t have those controls in place, they may be ineligible for coverage or they may face higher premiums and deductibles.
In what ways is the Municipal Association of SC helping members with cyber insurance?
Members of the Municipal Association of South Carolina-sponsored property and liability program, the South Carolina Municipal Insurance and Risk Financing Fund, receive a limited amount — $100,000 — of cyber coverage directly through SCMIRF. If a SCMIRF member city applies and is approved, then SCMIRF will pay the cost of a commercial cyber liability policy that provides higher limits and coverage for first-party losses which are losses experienced by the insured city. This covers things like data breach forensics, identity monitoring, breach coaching, data or systems restoration, extortion costs — hackers can lock out a system and demand a ransom — and business interruption.
The coverage also provides for third-party coverage for those who are not the policyholder but who experience losses. This covers items like damages, judgements and settlements.
Risk Management Services is offering a cyber liability tabletop training exercise for SCMIRF members on August 9 and August 10. Cybersecurity will be one of the topics discussed during Tech Talks at the Municipal Association’s Annual Meeting.