U.S. Cities Turn to ‘Cyber Insurance’ in Response to Hackers

While social media, ecommerce, healthcare, and more have all benefited from (or were made possible by) technology, the transfer of our lives to the internet has come at a cost. With more of our sensitive information online than ever – data that is tremendously valuable for both companies and individuals – there runs the risk of theft by individuals with nefarious intentions.

Data breaches are both costly and common. For every high-profile, newsworthy cyberattack, there are several smaller ones that don’t generate headlines. Something as innocuous as opening an attachment or clicking a link designed by hackers can grant network access, and they are always looking for new targets. US city government computer networks find themselves increasingly in the crosshairs and are turning to cyber insurance as a mechanism for protection.

What is Cyber Insurance and Who Needs It?

Cyber insurance policies are designed to mitigate the risks associated with network breaches by offsetting recovery costs after cyberattacks or similar events. Cyber insurance has roots in errors and omissions (E&O) insurance, with total premium value expected to reach $7.5 billion by 2020. It typically covers first- and third party-related expenses, including investigation, business losses, privacy and notification, and lawsuits and extortion.

While cyber insurance has gained popularity since its introduction in 2005, not all companies are on board. A report from RAND Corp., a nonprofit, reveals that most companies do not see cybersecurity as a worthwhile investment relative to the costs of a breach, which average around $200,000 (or the cost of a typical company’s annual security budget). Sasha Romanosky, a policy researcher at RAND who authored the report, described cyber risks as “[not] as big a deal as we think,” relative to the other risks a company may face. “It may be bad for you if you are the victim, but it doesn’t change the behavior or strategy of a company. Like you and me, companies are self-interested and operate in ways that minimize their costs. You can’t begrudge them for working that way.”

Because the whole picture of a cyberattack is rarely available – the full extent of security breaches is usually kept between insurance companies and policyholders in order to avoid PR nightmares – comprehensive data is difficult to come by. The total cost to the victim of a successful cyberattack is thus hard to pin down, for underwriters and prospective insurance buyers alike. Despite that fact, cyber insurance plans continue to evolve to keep pace with rapidly-changing cyberattacks – while attracting new clients.

Cities Embrace Cyber Insurance

City governments across the United States have embraced cyber insurance, with the majority of the 25 most-populous cities now either actively insured or currently researching plans, says a Wall Street Journal survey. Houston, the nation’s fourth-largest city, recently purchased a $30 million cybersecurity plan with a $471,400 premium after Christopher Mitchell, the city government’s chief information security official, described a system compromise as “inevitable.”

Cities around the country have steadily embraced preemptive action as they become aware of the likelihood of an attack – or the serious consequences of a system breakdown. A ransomware attack on Atlanta earlier in 2018 was one of the biggest reported breaches of a city’s network in history – fortunately, the city’s insurance policy took effect on January 1. The city refused to pay the $51,000 ransom, and Atlanta’s mayor, Keisha Lance Bottoms, estimated damages to be around $20 million. The city began submitting claims in the aftermath, though information about payouts was not made available.

Mark Barta, risk management director in Fort Worth, Texas, purchased a $5 million policy at a $99,570 premium in 2017 precisely to avoid an Atlanta-esque situation. “I wanted A to Z to have it covered,” he said. “I didn’t want to be in a situation on a Monday morning hearing this happened, and saying, ‘What do I do next?’”

That scenario played out in San Francisco in 2016, where the city was forced to turn off ticket vending machines for public transportation in response to a hacker infiltration of the city transportation agency’s system. San Francisco’s public-health department has a $50 million cyber insurance policy, but the tech capital of the world is now looking for coverage for the entire city government. It’s a cat and mouse game, says Michael Makstman, San Francisco’s chief information security officer. “This is their work, day in and day out…we do X, then they react with Y. We do Y, and then they react with Z.”

What Will the Future Bring?

Every city is different in their approach to cyber insurance coverage. Some major cities, like Seattle, remain self-insured but reevaluate acquiring additional protection each year. New York, Chicago, and Philadelphia have not publicized their cyber insurance status. Los Angeles doesn’t carry a policy, but Reuben Wilson, general counsel for public safety at the mayor’s office, says the city has implemented an “aggressive strategy to improve protection”: Firewalls block an average of 45 million unauthorized access attempts each day, and the city also created an operations center to identify and mitigate additional threats, to the tune of roughly 2,000 per week.

Regardless of their insurance plans, cities and individuals are increasingly aware of the threat posed by cyberattacks. As municipalities struggle to attract and retain skilled IT staff – a challenge even for major corporations – and deal with the realities of human error, they will continue to turn to cyber insurance as a safety net.

Quandary Peak Research

Based in Los Angeles, Quandary Peak Research provides software litigation consulting and expert witness services. We rapidly analyze large code bases, design documents, performance and usage statistics, and other data to answer technical questions about the structure and behavior of software systems.

Leave a Reply