It’s no secret that the frequency and speed of cyberattacks have increased in the past five years. But whereas hackers have historically targeted private companies with deep pockets to steal from, municipalities and governments are increasingly coming under fire. In March 2018, the City of Atlanta fell victim to a massive cyber breach with far-reaching public consequences: thousands of residents were unable to access city services such as courthouses and the water department website. While the monetary fallout continues to rise, the latest figure is $2.7 million.
Unlike private companies, public entities chronically lack the funds needed to secure, respond and recuperate from an attack. With the consolidated cost of a breach averaging $4 million in 2016, a single attack could easily bring down a police department, library or city. And while dollars and cents are at stake for any victim of an attack, public systems, services and entire populations’ sensitive data (e.g., social security numbers, medical records and drivers licenses) are vulnerable when it comes to municipalities. With increasing frequency, public officials are reading the newspapers and asking, “How vulnerable are we? What can we do to prevent this from happening in our city?”
Governments at an inflection point
Consider the damning facts. Nowadays, approximately 15% of cyberattacks are directed against the public sector. Targets range from universities (such as the City College of San Francisco, which fell victim to a years-long computer virus that exposed the personal information of up to 100,000 students and faculty members) to transportation departments (the Colorado Department of Transportation spent $1.5 million cleaning up a ransomware attack).
Why is this a growing problem?
By nature, state and local governments and educational institutions are far more vulnerable than private companies to cyberattacks.
First, public entities are resource strapped. Administrators are constantly asking, “Do I have enough money to hire the staff, utilize the protocols, and implement the software and hardware updates needed to protect my organization from a cyberattack? If not, how and when do I get a budget approved?” It is common for a municipality’s computers to be running on outdated operating platforms with known security flaws, exposing the entire entity to cyber risk — but that entity is unlikely to have the funds needed for updates.
Second, governments are soft targets. They are meant to be open systems — you want your citizens coming to your website or using your utility payment system. Schools want parents to be able to access school board minutes. Unfortunately, many of these services are offered on unsecured websites vulnerable to several variants of malicious attack.
Thirdly, public entities often don’t know what they don’t know. A lack of awareness around where to go and who to talk to about cyber vulnerability entrenches the status quo and exacerbates cyber risk.
Thanks in part to a news cycle that is consistently abuzz with high-profile cyberattacks, municipalities and other governmental entities are beginning to acknowledge this toxic combination of underfunding, vulnerability and lack of technical resources. We are now at an inflection point: With this knowledge, what can public entities do to address the very real risks facing them?
What the public sector should do
The first step is to acknowledge the problem. In recent years, local governments have done just that. Now that cyber protection is on the front burner of their concerns, they can start seeking advice, learning from it and doing something about it.
Planning is crucial — without it, proper cyber protection is impossible. This entails making sure specific elements like cyber risk are embedded in the community’s overall enterprise risk management plan. In turn, that entails assessing where the risks are now, how the entity is currently handling them, where there are gaps, and how to respond and recover in the event of an attack.
In order to execute proper planning, municipalities and governments must communicate both internally and with their insurance providers. Oversharing is better than under sharing — at a minimum, they should communicate the current state of cybersecurity measures, like firewalls and virus protection. What kind of training is provided to teach staff how to avoid social engineering schemes aimed at tricking them into providing a door to cyber criminals? Communication should cut across all levels: Which risks the various stakeholders face, what they can do about it, and how they are working across divisional lines to solve problems.
Municipalities and governments should also ask questions. This includes learning from their insurance agent about what coverage and service their carrier may provide. Is cyber liability and data compromise insurance available? Are there services offered that could help mitigate loss? What else is available (e.g. community groups, public entity risk management associations, etc.) to help establish a cyber risk plan?
It is critical that training and technology be up to date. Municipalities and governments should work with the private sector to teach their people how to spot suspicious emails, how to react when they spot a red flag, and how to secure their devices. They should keep their operating systems, browsers, anti-virus software and other critical programs as up to date as possible — one of the biggest issues public entities face, given a chronic lack of budget. Ultimately, the greatest threats of exposure lie in social engineering and systems with known vulnerabilities.
What the private sector should do
The responsibility does not lie solely with municipalities and governments. The private sector possesses crucial multi-channel tools and expertise that public entities are lacking and desperately need. These include risk education and management, financial tools, recovery services, security assessment and best practices. Without proper education in and deployment of these tools, public entities will continue to assume an unacceptable level of risk.
Given that awareness is the one biggest roadblock to proper protection, the private sector should educate the municipalities and governments they serve. Even if the information exists, public entities often do not have a staff of IT professionals that can help them deploy solutions.
The insurance and risk management community should not only make it clear where public entities can go for information, but they should also make sure both physical and non-physical vulnerabilities are defined and understood. They should collaborate with governments to reduce the risk of an occurrence, minimize loss and speed up recovery. They should set up online portals where their clients can browse best practices, guidebooks and processes in an intuitive, user-friendly way.
If a city’s platforms facilitate revenue and those systems are inaccessible for days or weeks in the event of a breach, it could lose income. For small cities and towns, that could have a real impact on services. Therefore, the private sector should also offer products that can lessen the financial impact of ransomware attacks, cyberattacks or liability for personal data release.
Risk management and recovery services should provide tools to conduct security assessments, provide access to best practices in training employees, and offer access to companies that can help with public relations should a public entity suffer a loss. They should also offer an expert to help recover data in the event of a breach.
Beyond the insurance sector, commercial institutions, cloud services, and companies that sell automated control and infrastructure devices should offer education and support for before, during and after a cyber event.
Finally, insurance carriers should provide transparent feedback, including where to decrease risks or where they are higher, what a fair insurance rate would be, and what cities can do to prevent or minimize certain types of loss. Based on a municipality’s profile, the private sector should communicate its findings and the steps its client can take to recover faster.
Shared responsibility: Public-private partnerships
The solution to cyber risk lies at the crossroads of public and private. Like two sides to a coin, one cannot adequately address cyber risk without the other. In recent years, there has been a confluence of interests between the public and private sector. Their interaction is becoming more frequent as insurance products and understanding of risk are beginning to mature. However, there is still room for more progress.
On the one hand, municipalities and governments have a growing need for planning, risk management, response, and post-attack recovery. On the other, private insurance entities are developing more sophisticated products and expertise.
The public and private sectors should own their piece of the cyber pie with a sense of responsibility and the understanding that cyber risk requires proactive action before, during and after an event. Risk awareness and assessment is as important as risk control, which is just as important as threat response and handling the aftermath of a cyber incident.
At all phases, open dialogue and the exchange of data is crucial. As the public and private sector work together, innovative solutions to cyber risk will emerge, and the entire community will benefit.
Thom Rickert (email@example.com), an emerging risks specialist with Trident Public Risk Solutions, part of Argo Group, has spent more than 35 years in the insurance industry. Rickert has extensive underwriting and marketing experience in all property and casualty lines of business, spanning multiple segments and industries.