In 2012 Robert Mueller stated that “there are only two types of companies: those that have been hacked and those that will be.” Today, that has not only proven to be largely accurate (as the recent spate of attacks on Facebook, Sony, Uber, and the DNC’s servers have demonstrated), but has also expanded to include government agencies and city infrastructures. This has prompted an explosion of investment in cybersecurity insurance: over 50% of the 25 largest cities by population in the U.S. now have some form of cyber insurance, according to a NewtonX survey with city information security executives. Cyber insurance runs cities millions of dollars per year, with premiums that exceed half a million dollars. And with hackers successfully extorting entire cities for ransomware, the industry seems poised for massive growth and adoption.
The insights from this article are sourced from NewtonX surveys, panels, and expert consultations. To gain access to these services visit newtonx.com.
In March of this year, the city of Atlanta was crippled by a ransomware attack that affected all 8,000 of the city’s employees, lasting a full five days. During the episode, the Atlanta Municipal Court could not validate warrants, police officers were forced to write reports by hand, the city stopped taking employment applications, and travelers at the Atlanta airport (one of the world’s busiest) were unable to use the free WiFi.
The culprits of the attack, the The SamSam group are known to be a formidable ransomware ring, and have successfully extorted more than $1M from over 30 organizations in 2018 alone. While the Atlanta attack was one of the most sustained and largest breaches of a city’s network ever, the city was not alone in being a target for hackers. Houston, Rockport, Baltimore, San Francisco, and Sacramento have all been targeted by hackers, endangering the safety and health of the millions of residents of these cities.
The Cost of Not Having CyberSecurity Insurance is Too High
The majority of city-wide hacking security breaches are forms of ransomware (where a hacker or network of hackers holds systems and machines virtually hostage until a ransom is paid), but the real costs to cities come not from ransoms, but from the screeching halt that being held hostage brings the city to. For instance, its estimated that the attack on Atlanta cost the city roughly $20M, even though it refused to pay the $50,000 that the attackers demanded.
Similarly, two months ago in Rockport, Maine, the city’s network was held hostage through malicious software demanding roughly $1,200 in Bitcoin as ransom. While the ransom was relatively small, the tiny town of 3,400 ultimately paid over $10,000 to cover the immediate restoration work, plus another $30,000 on security improvements.
Public sector attacks are rising faster than private sector ones: NewtonX experts estimated that roughly 40% of public entities will be victims of a ransomware attack this year, up from 30% last year. SamSam, the group behind the Atlanta attack, has targeted hospitals, police departments and universities, as these entities have sufficient money to pay the ransom, but don’t have the luxury of going off-line for an extended period. Hackers don’t start by targeting a specific city or network, but rather monitor for vulnerabilities and attack when they find one. This means that at some point or another, most cities are vulnerable to attacks, and need measures in place to protect against them.
The New City Cybersecurity: Not Just Protected, But Backed Up
Policies vary from city to city, but they can cover extortion costs, associated costs with networks being down (a key need for cities), and legal liabilities (such as citizen data being stolen). Houston recently purchased a $30M cybersecurity insurance plan with a $471,400 premium, and numerous other cities have followed suit.
Sompo, one of the more popular choices for cybersecurity policies for cities, covers Fort Worth, Charlotte, and Houston. Other insurers writing cybersecurity policies for cities include American International Group, Lloyds, and axis Capital Holdings. According to a cyber product leader at American International Group, part of the impetus for getting cybersecurity insurance is the shortage of tech talent. Cities cannot pay the same salaries as their private sector counterparts, and because of that are having trouble keeping up with the sophistication of hackers. Many cities will immediately pay a ransom if it is small enough ($10,000, say) just because the cost of being shutdown so significantly outweighs the cost of giving in to a ransom.
The cities that have not invested in cybersecurity insurance these days tend to fall into two camps: those that have not yet had a costly attack, and those that have the resources to invest in extremely sophisticated protection systems without third party help. For instance, Los Angeles, which doesn’t use insurance, sees 45M unauthorized attempts to breach its systems per day, but uses advanced technology and cybersecurity analysts to neutralize 2,000 intrusions per week before any harm is done. Seattle, on the other hand, invested in its own insurance policy (essentially a fund it can draw on in the event of an attack), but reevaluates the need for a new policy each year.
Many cities, even major metropolitan areas, have invested in cybersecurity insurance policies on top of their own resources, however. San Francisco has a $50M cybersecurity policy for its public-health department, and wants to cover the entire municipal government. City cybersecurity policies will become increasingly necessary as legacy systems move into the cloud and government employees increasingly handle sensitive data through city networks. While cities can work to strengthen their cybersecurity, at the end of the day, most vulnerabilities occur because of a small human mistake that an employee makes — and when that happens, cities want an insurance plan.