Rising Cost of Cyber ​​Insurance ​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​

Horry County, South Carolina, officials were alarmed earlier this year, when they discovered their cyber insurance was going up from $70,000 last year to nearly $210,000.

And if they could not meet the demands of the insurance company and prove that they have the control power needed to protect and protect themselves from cyberattacks, they learned, they would not be able to renew their $5 million policy.

“Insurance companies sell you pot. There hasn’t been much discussion,” said Tim Oliver, the state’s chief information officer.

Across the United States, many local and state governments — as well as private companies — are in the same boat. They have realized that cyber insurance premiums have skyrocketed and that they must meet strict guidelines if they want to be covered or renew their policies.

“Cyber ​​insurance was very affordable,” said Alan Shark, director of the CompTIA Public Technology Institute, a Washington, DC nonprofit that provides consulting services to local governments. But things have changed, and insurance companies are increasing their rates and raising prices and making it harder to get insurance. Some local governments may not be able to access it either. “

Insurance industry executives say the higher costs for government agencies and private individuals are due to a rise in demand for coverage amid frequent and costly cyber-attacks — often ransomware attacks. That means insurers have to pay more, which has led them to raise premiums and tighten standards to get policies. Some companies have also downgraded information or reduced the amount of information they provide.

Stateline News

Ransomware Attacks The Biggest Question for Local Authorities: To Pay or Not to Pay?

Last August, for example, American International Group, one of the country’s largest writers of cyber insurance, announced that the prices of its customers. has increased by about 40% worldwide and that it is promoting the principles of its policies to stop the damage of the Internet.

In the past three years, the number of online insurance companies in the United States it increased by 100% year-on-year, according to the May report of Fitch Ratings, a credit rating agency. In 2021, insurers paid 8,100 claims.

In order to reduce risk and potential losses, insurers are becoming more diligent during the application process to protect themselves from cyberattacks, according to Loretta Worters, a spokeswoman for the Insurance Information Institute, the industry’s trade group.

“If any government agency or business has such a problem and fails to address it, it may result in significant costs or non-remediation,” Worters wrote in an email.

Companies now want to ensure that organizations have updated software and firewall protection, a backup system, cyber training for employees and vulnerability testing, among other requirements.

They also want organizations to use more authentication methods, including remote services. Such security technology verifies a user’s identity before logging in, usually through a one-time password or a code sent to a mobile phone or email.

Cyber ​​insurance often covers a wide range of services, such as providing legal expertise to investigate the breach, legal assistance, hardware replacement, data recovery and breached information. Other laws include negotiating a ransom with the kidnappers and paying the ransom.

Insurance changes mainly from the outbreak of ransomware, which hijacks computer systems, encrypts data and stores it until victims pay a ransom or restore the system themselves. It is often spread through phishing, where hackers send malicious emails or attachments and people unknowingly click on them, releasing malware.

In 2020, ransomware attacks accounted for 75% of cyber insurance in the US, according to AM Best, a credit rating agency.

In the past few years, there has been a rise in ransom threats for cities, county governments, school districts, police agencies and health systems. Small governments, especially small ones, can be vulnerable because they may have limited resources and staff with cyber security expertise.

In 2021, there were at least 77 local and state governments and another 88 in school districts, colleges and universities, according to Brett Callow, cybersecurity analyst, Emsisoft. This year, at the end of June, there were at least 28 demonstrations in the districts and 33 in the schools.

In Baltimore, where thousands of computers were disabled in the biggest ransomware attack in 2019, it cost the city about $18 million – including lost or delayed revenue and costs to restore systems.

The city, which didn’t pay the ransom and didn’t have cyber insurance, decided to spend $835,000 over one year. buy $20 million to eliminate any interference with its network. It continued to purchase annual cyber insurance.

Stateline News

Small Cities Worry Cybersecurity Money Won’t Reach Them

Some local governments choose to pay the ransom because they need their data urgently and think it is the best option. Some think it would be too expensive and time consuming to start over and rebuild everything.

Many local governments see cyber insurance as a necessity in case of an attack, which makes it even more confusing that their costs have increased and there are new requirements, according to Rita Reynolds, chief information officer at the National Association of Counties.

In the past year and a half, Reynolds said, instead of answering a series of questions from their cyber insurance company when it’s time to renew, counties are now being asked to fill out lengthy questions about their security.

“Insurance companies are saying that higher standards are necessary for higher and lower costs,” he said. It’s like the perfect storm.

Reynolds said the new requirements aren’t a bad thing because governments are trying to maintain their online security, but officials were surprised by how it turned out.

He said: “Many of us were scared. “Some of the things that insurance companies want are easy to implement, but others can be expensive and time-consuming. You can’t just flip a switch.”

Communities want to be safe from cyberattacks and agree that they need to do everything they can to ensure proper security, Reynolds said. But those who don’t – or can’t – may find they can’t renew or get cyber insurance.

Reynolds said: “Areas are moving around. And no matter what you have, the wages have doubled, and sometimes tripled.

Some local governments are switching to self-insurance, where officials set aside a pot of money to use in the event of a computer disaster, according to Reynolds. Others are joining insurance pools and similar organizations and shopping around for better rates.

Stateline News

Countries Ban Banning Ransomware Payments

Oliver, a South Carolina employee, said his state didn’t learn about the policy change until two months before it was due to be rescheduled. Fortunately, he said, officials were able to answer “yes” to all of the initial security questions. If they didn’t, they would be rejected.

Officials spent the next two months answering the company’s second, multi-page questionnaire, Oliver said. The area was able to solve problems and make adjustments to meet the requirements.

The county council had to approve a budget resolution allowing officials to transfer money from another account to pay the $210,000 bill because it had only budgeted $70,000 for cyber insurance, he said.

Oliver said he is fortunate that his county, which has a population of about 365,000 and about 3,000 employees, has four employees dedicated to cybersecurity and the tools to pay for insurance and meet cybersecurity requirements.

But smaller communities, which may not even have information technology staff, may not be able to do so, he said.

“They might be out of luck,” he said. “If they can’t get cyber insurance, the only option for many small organizations is to cross their fingers and hope they don’t get hit.”

In Lehigh County, Pennsylvania, which has a population of about 375,000, officials also had a tough time updating their cyber insurance, said Chief Information Officer Bob Kennedy. About a week before Christmas 2020, they learned that they couldn’t be repaired because they didn’t have a lot of authentication on all of the computers that the co-workers had remote access to.

Fortunately, Kennedy said, the government is already planning to change this and has bought the right programs. Was able to speed up the timeline and negotiate with the insurance company to allow the change in February 2021 rather than January. Premium increased by 30%. And this year, he said, that amount nearly doubled from $82,000 to $158,000.

“Most of the things they order are good. There aren’t a lot of hoops,” Kennedy said. “But inflation is a big problem. It requires us to pay an increasing amount every year, even if you meet all these requirements.”

Ultimately, with all the concerns about cyber insurance, there may be a silver lining for local governments, said Reynolds, of the regional association.

“They’re starting to know more about what they need to do,” he said. “With every problem there is an opportunity. And in this case, it is an opportunity for them to increase their security on the Internet. “