4 STEPS TO BECOMING Cyber Risk Savvy: How To Be a Smart Customer of Cyber Insurance.

• Author: Kavanagh, Shayne

Cyberattacks are a clear and present danger for all organizations, but local governments are particularly vulnerable. A 2020 study showed that local governments are more likely to be the targets of a ransomware attack than any other kind of organization and that 44% of ransomware attacks targeted local governments in 2020, a portion similar to 2019. (1) The trend does not seem to be abating: 2021 saw a nine-fold increase in ransomware attacks on government organizations between 2020 and 2021. (2)

Local governments are attractive targets for cybercriminals for a few reasons. (3) First, local governments are "soft targets." This means that networks are typically not very secure. For example, smaller local governments may not have dedicated IT staff, much less dedicated cybersecurity staff. On top of that, local governments often operate many disparate services, which creates a lot of "surface area" for an attack. In other words, an attacker could gain access to a city government's network through information systems in public works, community development, or any other department. Second, local governments maintain sensitive data like tax records, voter information, citizen and employee health-related data, and employee social security information. They also provide essential services that can't be interrupted. A soft target with sensitive information and essential services is the proverbial "low-hanging fruit" for the cybercriminal. A third and, perhaps, surprising reason is the public profile of local governments, which refers to transparency requirements, open data sets, public-facing internet-enabled transactions, and more.

This public profile means hackers have an advantage in calculating an effective strategy to penetrate a local government's defenses. This compares to private firms that have a greater ability to conceal their activities from the public and, therefore, cybercriminals.

Cyberattacks are expensive. Cities like Atlanta and Baltimore have made headlines with the extreme cost of a cyberattack. These cities are reported to have incurred over $15 million each, including data recovery costs and the cost of downtime and lost revenue. (5) The risks are not limited to large governments. In 2019, the City of Stuart, Florida, (population 16,000] was hit with a ransomware attack and a demand for $300,000. The city elected not to pay and had to incur about 2,000 hours of staff time to manage the recovery and work-arounds and spent a significant sum on replacing/upgrading hardware and software. (6) Further, a study of the costs of cybercrime across industries showed that there was barely any relationship between the size of the victim organization and the size of the loss. (8) In other words, a smaller organization does not necessarily translate into lower potential losses from cybercrime.

The potential extreme consequences of a cyberattack have caused many local governments to turn to cyber insurance. Given the potential losses from an attack, transferring the risk of an attack to the insurance market could bean attractive proposition. However, cyber insurance is a relatively new type of insurance instrument compared to traditional insurances, like property and liability insurance. Also, the cost of a policy or the availability can change dramatically in a short time. In fact, as of this writing, many governments have experienced rapidly increasing premium costs. This article will help local governments approach cyber insurance in a risk-savvy manner and make smart decisions about how to invest in protection against cybercrime.

As a first step, let's understand three fundamental issues with cyber insurance that an informed consumer must be aware of.

First, insurance is remedial, whereas controls [cybersecurity measures] can be preventative. For example, training on safe computing practices can make it less likely that an employee clicks on a malicious web link in an email, thereby avoiding an attack that could have otherwise succeeded.

Prevention is generally preferable to remediation. Cyberattacks can have consequences beyond what insurance can cover. For example, the City of Stuart found that even if it had been able to use insurance to pay the ransom, the files that would be "restored" by the cybercriminal would go to one folder, with all new names and no file extensions! Insurance is not an "undo button" for a cyberattack. There are also indirect effects of a cyberattack that are best avoided, such as the hit to the reputation of a local government. Reputation is not an inconsequential intangible. A loss of public faith in government has consequences. A perceived vulnerability to cybercrime also could have consequences for bond ratings. (8) This means that local governments must be savvy in choosing when to invest limited resources in better cybersecurity controls versus investing in cyber insurance.

Second, commercial insurance, by design, is a "bad bet" for the insured, on average. If it weren't, insurance companies would go broke. This is why governments can sometimes reduce costs by self-insuring. This does not mean local governments should never buy commercial insurance. Commercial insurance is great for protecting against catastrophic losses that government isn't capable of absorbing. This means local governments must be savvy in determining when to accept the risk [self-insure] and when to transfer risk to commercial insurers.

Third, the market for cyber insurance continues to change and evolve with the level of threat posed to governments by cybercrime. The cyber insurance market is relatively underdeveloped, and fewer actuarial models exist compared to other kinds of insurance markets--which have been around for decades and maybe centuries. Hence, the market for cyber insurance is evolving rapidly as insurance sellers and buyers come to understand the nature of the peril better and the financial implications of insuring it. As of this writing, the market for cyber insurance is tightening up, with policies becoming unaffordable or unavailable for local governments that don't have adequate controls to prevent cyberattacks. This means local governments must be savvy about recognizing the evolving nature of the cyber insurance market and not assume that today's coverages will be available at comparable prices in the future.

With these issues in mind, how should a local government approach cyber insurance? The rest of this article will take you through a step-by-step procedure for considering the costs versus the benefits of cyber insurance.

Risk Mitigation vs. Risk Transfer, or Cybersecurity Controls vs. Cyber Insurance

We will start from the premise that local government has limited resources, so a dollar invested in cyber insurance is a dollar not invested in controls. The advantage of controls is that they can be preventative; they can stop the attack from doing damage in the first place. A software patching strategy leaves fewer vulnerabilities for cybercriminals to exploit. Controls can also reduce the potential damage from an attack if an attack succeeds.

For example, high-quality data backups make it easier to recover lost data.

Insurance is always remedial; it cleans up the damage after it has happened.

The advantage of insurance is that it can provide some relief from catastrophic losses, where it is impractical to develop sufficient controls. Hence, there is a trade-off to consider. How can this trade-off be analyzed? We will present a four-step process;*

Step 1--Know the basics of your cybersecurity situation

Step 2--Quantify your risk

Step 3--Examine the potential of insurance

Step 4--Periodically reassess

STEP1

Know the basics of your cybersecurity situation

Some local governments will have a good handle on their existing cybersecurity situation, but others may not. There are three questions to ask as part of Step 1:

What are the most important assets you need to protect? Technology assets with sensitive data or that administer mission-critical functions are the most important. These may include social security numbers, credit card information, bank account information, any kind of health data that might be protected by law [e.g., the U.S. Health Insurance Portability and Accountability Act], and criminal justice data. Examples of critical systems might include enterprise resource planning [ERP], tax revenue systems, or public health or public safety systems.

What threats are most important?

Today, ransomware attacks are the most prevalent threat. Other possible threats include denial of service attacks, leaks of sensitive data, or cyber sabotage of various forms. Ransomware attacks will likely continue to be the top threat because there is a clear financial incentive for the perpetrator. It is worth noting that these threats can combine.

For example, a ransomware attack could lead to data leaks.

What is the state of your controls?

State and local governments have been challenged with finding resources to keep up with cyber threats. Important controls include multifactor authentication, firewalls, encrypted data storage, encrypted data backups, incident response planning, training staff to avoid phishing attacks, software patching, and endpoint detection response.** In a 2021 survey,9 respondents indicated that spending on cybersecurity focused on software, hardware, backup, monitoring, and training. Incident response was listed as a lower priority. Only 57% of responses indicated that cybersecurity training was done annually for all employees.

The focus areas for business continuity in the face of a cybersecurity attack were data backups and recovery, operational business plans, and ensuring manual work-arounds in case of an outage.

There are comprehensive frameworks for addressing cybersecurity risks, like CIS Top 18 [perhaps the most accessible for local government], COBIT, NIST, and ISO. These are valuable for organizations with the sophistication to use them...