Rising cyber insurance costs have left local governments struggling

Horry County, South Carolina, officials were alarmed earlier this year, when they discovered their cyber insurance was going up from $70,000 last year to nearly $210,000.

And if they could not meet the demands of the insurance company and prove that they had the control power needed to protect and protect themselves from cyberattacks, they learned, they could not renew their $5 million policy.

“Insurance companies sell you pot. There hasn’t been much discussion,” said Tim Oliver, the state’s chief information officer.

Across the United States, many local and state governments—as well as private companies—are in the same boat. They have realized that cyber insurance premiums have skyrocketed and that they must meet strict guidelines if they want to be covered or renew their policies.

“Cyber ​​insurance was very affordable,” said Alan Shark, director of the CompTIA Public Technology Institute, a Washington, DC-based nonprofit that provides consulting services to local governments. But things have changed, and insurance companies are increasing their rates and raising prices and making it harder to get insurance. Some local governments may not be able to access it either. “

Insurance industry executives say the cost to private and public agencies is driven by a surge in the number of people seeking coverage for frequent and costly cybercrimes, which are often the result of ransomware attacks. That means insurers have to pay more, which has led them to raise premiums and tighten standards to get policies. Some companies have also downgraded information or reduced the amount of information they provide.

Last August, for example, American International Group, one of the country’s largest writers of cyber insurance, announced that the prices of its customers. has increased by about 40% worldwide and that it is promoting the principles of its policies to stop the damage of the Internet.

In the past three years, the number of online insurance companies in the United States it increased by 100% year-on-year, according to the May report of Fitch Ratings, a credit rating agency. In 2021, insurers paid 8,100 claims.

In order to reduce risk and potential losses, insurers are becoming more diligent when applying for the information an organization uses to protect itself from cyberattacks, according to Loretta Worters, a spokeswoman for the Insurance Information Institute, the industry’s trade group.

“If any government agency or business has such a problem and fails to address it, it may result in significant costs or non-remediation,” Worters wrote in an email.

Companies now want to ensure that organizations have updated software and firewall protection, a backup system, cyber training for employees and vulnerability testing, among other requirements.

They also want organizations to use more authentication methods, including remote services. Such security technology verifies a user’s identity before logging in, usually through a one-time password or a code sent to a mobile phone or email.

Cyber ​​insurance often covers a variety of tasks, such as providing legal expertise to investigate the crime, legal assistance, hardware replacement, data recovery and information on victims of a data breach. Other laws include negotiating a ransom with the kidnappers and paying the ransom.

Insurance changes mainly from the outbreak of ransomware, which hijacks computer systems, encrypts data and stores it until victims pay a ransom or restore the system themselves. It is often spread through phishing, where hackers send malicious emails or attachments and people unknowingly click on them, releasing malware.

In 2020, ransomware attacks accounted for 75% of cyber insurance in the US, according to AM Best, a credit rating agency.

In the past few years, there has been a rise in ransom threats for cities, county governments, school districts, police agencies and health systems. Small governments, especially small ones, can be vulnerable because they may have limited resources and staff with cyber security expertise.

In 2021, there were at least 77 incidents at local and state governments and another 88 at school districts, colleges and universities, according to Brett Callow, cybersecurity analyst, Emsisoft. This year, at the end of June, there were at least 28 demonstrations in the districts and 33 in the schools.

In Baltimore, where tens of thousands of computers were disabled in a major ransomware attack in 2019, it cost the city at least $18 million — including lost or delayed revenue and the cost of restoring systems.

The city, which didn’t pay the ransom and didn’t have cyber insurance, decided to spend $835,000 over one year. buy $20 million to eliminate any interference with its network. It continued to purchase annual cyber insurance.

Some local governments choose to pay the ransom because they need their data urgently and think it is the best option. Some think it would be too expensive and time consuming to start over and rebuild everything.

Many local governments see cyber insurance as a necessity in case of an attack, making it even more confusing that their costs have increased and there are new requirements, according to Rita Reynolds, chief information officer at the National Association of Counties.

In the past year and a half, Reynolds said, instead of answering a series of questions from their cyber insurance company when it’s time to renew, communities are now being asked to fill out lengthy questions about their security.

“Insurance companies are saying that higher standards are necessary for higher and lower costs,” he said. It’s like the perfect storm.

Reynolds said the new requirements aren’t a bad thing because governments are trying to maintain their online security, but officials were surprised by how it turned out.

He said: “Many of us were scared. “Some of the things that insurance companies want are easy to implement, but others can be expensive and time-consuming. You can’t just flip a switch.”

Communities want to be safe from cyberattacks and agree that they need to do everything they can to ensure proper security, Reynolds said. But those who don’t—or can’t—may find themselves unable to renew or obtain cyber insurance.

Reynolds said: “Areas are moving around. And no matter what you have, the wages have doubled, and sometimes tripled.

Some local governments are switching to self-insurance, where officials set aside a pot of money to use in the event of a computer disaster, according to Reynolds. Others are joining insurance pools and similar organizations and shopping around for better rates.

Oliver, a South Carolina employee, said his state didn’t learn about the policy change until two months before it was due to be rescheduled. Fortunately, he said, officials were able to answer “yes” to all of the initial security questions. If they didn’t, they would be rejected.

Officials spent the next two months answering the company’s second, multi-page questionnaire, Oliver said. The area was able to solve problems and make adjustments to meet the requirements.

The county council had to approve a budget resolution allowing officials to transfer money from another account to pay for $210,000 because it had only budgeted $70,000 for cyber insurance, he said.

Oliver said he is fortunate that his county, which has a population of about 365,000 and about 3,000 employees, has four employees dedicated to cybersecurity and the tools to pay for insurance and meet cybersecurity requirements.

But smaller communities, which may not even have information technology staff, may not be able to do so, he said.

“They might be out of luck,” he said. “If they can’t get cyber insurance, the only option for many small organizations is to cross their fingers and hope they don’t get hit.”

In Lehigh County, Pennsylvania, which has a population of about 375,000, officials also had a tough time updating their cyber insurance, said Chief Information Officer Bob Kennedy. About a week before Christmas 2020, they learned that they could not be repaired because they did not have a lot of authentication on all of the computers that the employees had remote access to.

Fortunately, Kennedy said, the government is already planning to change this and has bought the right programs. Was able to speed up the timeline and negotiate with the insurance company to allow the change in February 2021 rather than January. Premium increased by 30%. And this year, he said, that amount nearly doubled from $82,000 to $158,000.

“Most of the things they order are good. There aren’t a lot of hoops,” Kennedy said. “But inflation is a big problem. It requires us to pay an increasing amount every year, even if you meet all these requirements.”

Ultimately, with all the concerns about cyber insurance, there may be a silver lining for local governments, said Reynolds, of the regional association.

“They’re starting to know more about what they need to do,” he said. “With every problem there is an opportunity. And in this case, it is an opportunity for them to increase their security on the Internet. “

This article was reprinted from world line under a Creative Commons license. Read the book the first story.