Cyber Insurance

Ransomware affects all types of organizations, including local governments.  Cyber insurance is one of the options that is used to deal with these types of attacks.  However, there is a clear need to look elsewhere for solutions due to rising cyber insurance costs and the challenges that local governments are facing with getting approved for cyber insurance policies that cover damages and potential needs for a ransomware attack.

Approval for cyber insurance policies have become more rigorous.  Furthermore, it has come to local government’s attention that it might not be beneficial, nor allowed at some point in time, to pay cyber criminals.

This is giving local governments something to think about.  Self-insurance and service providers’ cyber incident warranties are a couple of the options that municipalities are considering in an effort to handle ransomware and other types of cyber incidents.

When you note that in Sophos’ State of Ransomware 2022 report, about half of state and local governments worldwide paid ransomware extortions, you know why cyber insurance challenges are a top priority.

The Sophos study shows that the rate of ransomware payment is quite high.  Globally, 49% of state and local agencies paid ransomware in 2021, while only 32% of financial services organizations paid ransomware in the same year.  K-12 entities topped the list of ransomware payment with 53% of those types of entities having paid to get data back.

 

Local Government Ransomware Rates and Recovery Time

When it comes to government ransomware payment rates it’s interesting to note that typically, cyber criminals will be open to negotiating what they think the victims can afford.

For state and local governments worldwide, the average paid in 2021 was $214,000 per ransom.  The Sophos report shows that this was the second lowest rate across sectors.  Boston CISO and co-chair of the Coalition of City CISOs Greg McCarthy, told GovTech that the amount he had heard of was around $500,000.  It was noted by Rita Reynolds, CIO of the National Association of Counties (NACo) that negotiating ransom prices enables governments to check the status of their backups and decide if they can recover from the ransomware attack without paying.

Another aspect that Reynolds told GovTech is the fact that you are not guaranteed a quick path back to normal even if you pay the ransom.  Companies in various sectors took months to recover from attacks and there wasn’t a huge difference from the organizations that didn’t pay to those who did pay the ransom.  In fact, U.S. counties often see recovery times last longer.  Reynolds states that it is due to organizations having to check that their systems are completely clean from infiltration, that all viruses have been completely removed, before putting the data back online.

Additionally, when you pay to get your data back, you don’t know if some of the data will be corrupted.  This means there is a need to check for hidden backdoors on the data that would allow another attack to take place.  McCarthy adds that recovery takes place in stages and that critical assets are addressed first.  Everything else comes after the first month of focus on putting back online the critical assets needed to be completely operative.

 

Local Government Ransomware ‘To Pay or Not To Pay’ Debate

The never-ending debate ‘to pay or not to pay’ is not a straightforward one because of the complexities of ransomware.

First of all, in some cases it’s illegal, such as in North Carolina where paying ransomware has been banned for all government entities.  Another example of the practice being outlawed is in Italy, although 43% of ransomware victims surveyed by Sophos reported paying.

Where there is a choice to pay, there may be the feeling of having to pay due to not knowing how to recover systems on their own or if facing an outage that involves life-essential services.  Also, noted by McCarthy is that sometimes even governments who are capable of restoring data from backups will pay to stop hackers from leaking the sensitive data.

Knowing the cyber criminals’ motives and identities are ideal to know what level of threat you’re dealing with and if they will return the data or perhaps, they could have different intentions.  Alan Shark, the executive director of CompTIA’s Public Technology Institute (PTI), notes that payment doesn’t guarantee hackers leave the systems alone or avoid striking again.  Shark also says that sometimes it is the insurers, not just the government, who are making assessments because insurers conduct ransomware negotiations for clients.  Furthermore, insurers consider it cheaper to pay than to resist ransomware payment.

What Sophos found about state and local governments worldwide paying ransom, is that they only received 59% on average of their data back after payment was made.  State and local governments were found to be more likely than the average to have their insurance fund ransom payments for their “most significant” cyber incidents.  Agencies on the other hand are significantly less likely to have insurers pay the costs of getting back up and running.

 

Local Government Cyber Insurance Prerequisites

To get cyber insurance coverage there are a number of best practices that U.S. cities and counties must meet, plus the raising costs.  These aspects are making it twice as hard to get coverage.

Shark mentions that the first thing insurers want from municipal clients is for them to complete an 11-page application that details cybersecurity training and defenses because they want to assess the risk of taking on prospective state and local government clients.  According to Reynolds and McCarthy the cybersecurity measures insurers want from clients are reasonable, but this doesn’t mean they are not challenging to implement.

The questionnaires that you fill out for cyber insurance are very detailed.  One of the first questions that you can expect to see is about multifactor authentication.  Reynolds states that if you answer no, which means you don’t have multifactor authentication in place, you can forget about getting coverage or having your cyber insurance renewed. Also, local governments are priced out of meeting best practices and from what McCarthy has to say, the number of controls or the number of security measures to get a reasonable rate is nearly impossible for small municipalities to implement.

Through the Infrastructure Investment and Jobs Act, state and local governments will receive $1 billion of cybersecurity funding over the next four years, which should help some.  However, the process of completing the cyber insurance applications will still be a challenge; especially if there isn’t the right IT expertise around to fill it out.  Shark points out that if the form is filled out incorrectly the insurance company is not obligated to pay you because technically you falsified the record.  Having enough insurance is also important.

 

Local Government Overcoming Cyber Insurance Challenges

Self-insuring is one of the ways local governments are attempting to get around the cyber insurance challenges.  Cities like Boston are putting this into practice.  Self-insuring means that the organization’s budget funds will pay for the emergency cost.  This is also an attempt to save on premiums.

Another way state and local governments plan to get around the cyber insurance challenges is by re-insurance, which means clients assume more of the risks.

Additionally, a new market that has arisen, and can help with cyber insurance, are managed service providers (MSPs).  MSPs offer a level of ransomware and data breach warranties to customers.

Other measures for state and local governments to move beyond the cyber insurance challenges include endpoint subscriptions to platforms such as CrowdStrike.  Crowdstrike’s endpoint detection platform can get an amount of money for cyber extortion payments, which includes up to $100,000 in ransom.

Due to struggling, some state and local governments might go this route too since companies like Crowstrike are accessible to them.

 

The challenges with cyber insurance involve heightened costs and rigorous application requirements, but as you can see, not all is lost.  As long as state and local governments put in the work, there are many options to consider and ways to get what is needed done.

Let’s talk if you need help getting beyond cyber insurance barriers: https://calendly.com/ncxgroup