What Is Cybersecurity Insurance for Municipalities?
State and local entities buy cyber insurance to cover losses resulting from a cyberattack. Such insurance can help to offset the costs of breach notifications, legal fees, regulatory fines and forensics. Depending on the policy, cyber insurance also can pay to restore data and offset the expense of claims made when a municipality fails to protect personal data.
“This is part of any risk mitigation effort,” says Alan Shark, CompTIA vice president and executive director of the Public Technology Institute.
“It protects against a number of things, like loss of business, payment of ransomware, replacement of equipment, technical support and legal fees,” he says. “If publicly identifiable information is leaked, insurance may cover credit monitoring reports for years.”
In case of a breach, such coverage can be a critical backstop. Cybersecurity insurance “can provide financial, technical and legal resources in response to somebody getting into an agency’s system, shutting it down, stealing data or doing other things that could compromise the agency’s activities,” says Marc Pfeiffer, assistant director of the Bloustein Local Government Research Center at Rutgers University.
Cyber coverage won’t thwart a hack, but it can help a municipality bounce back from an attack. Much the same as car insurance, “you can’t prevent accidents from happening,” says National Association of Counties CIO Rita Reynolds. “You have that insurance so that if something happens, it’s not going to be catastrophic to your budget. Cyber insurance is very similar: It’s really a safeguard in the event there’s an accident or, in this case, a cyberattack.”
RELATED: State and local agencies lag in ransomware response planning.
How Can Municipalities Obtain Cybersecurity Insurance?
Municipalities can purchase cyber coverage through one of several models. First, they can simply go shopping. “You can just do Google searches to try to find out who’s offering coverage,” Shark says.
If the private-market options are not appealing, municipalities can self-insure. “You can set up a fund where you put a chunk of money in case you need it” to offset the expense of a breach, Pfeiffer says.
Finally, municipalities can band together to self-insure as a group. In this model, local governments pool their technology risks to create “a joint insurance fund, where multiple towns effectively form their own insurance company,” Pfeiffer says.
Many choose a combination of these approaches — a hybrid model that covers risk in multiple ways. For example, “joint or self-insurance funds may rely on private insurance for higher or excess levels of coverage,” Pfeiffer says.
“I may self-insure for $50,000 and pay a premium for membership in a joint self-insurance pool that will cover the next $500,000. The pool will then go to the private insurance market for anything above that,” he adds.