The Pros and Cons of Cybersecurity Insurance for Municipalities

What Is Cybersecurity Insurance for Municipalities? 

State and local entities buy cyber insurance to cover losses resulting from a cyberattack. Such insurance can help to offset the costs of breach notifications, legal fees, regulatory fines and forensics. Depending on the policy, cyber insurance also can pay to restore data and offset the expense of claims made when a municipality fails to protect personal data. 

“This is part of any risk mitigation effort,” says Alan Shark, CompTIA vice president and executive director of the Public Technology Institute.

“It protects against a number of things, like loss of business, payment of ransomware, replacement of equipment, technical support and legal fees,” he says. “If publicly identifiable information is leaked, insurance may cover credit monitoring reports for years.”

In case of a breach, such coverage can be a critical backstop. Cybersecurity insurance “can provide financial, technical and legal resources in response to somebody getting into an agency’s system, shutting it down, stealing data or doing other things that could compromise the agency’s activities,” says Marc Pfeiffer, assistant director of the Bloustein Local Government Research Center at Rutgers University.

Cyber coverage won’t thwart a hack, but it can help a municipality bounce back from an attack. Much the same as car insurance, “you can’t prevent accidents from happening,” says National Association of Counties CIO Rita Reynolds. “You have that insurance so that if something happens, it’s not going to be catastrophic to your budget. Cyber insurance is very similar: It’s really a safeguard in the event there’s an accident or, in this case, a cyberattack.”

RELATED: State and local agencies lag in ransomware response planning.

How Can Municipalities Obtain Cybersecurity Insurance?

Municipalities can purchase cyber coverage through one of several models. First, they can simply go shopping. “You can just do Google searches to try to find out who’s offering coverage,” Shark says.

If the private-market options are not appealing, municipalities can self-insure. “You can set up a fund where you put a chunk of money in case you need it” to offset the expense of a breach, Pfeiffer says.

Finally, municipalities can band together to self-insure as a group. In this model, local governments pool their technology risks to create “a joint insurance fund, where multiple towns effectively form their own insurance company,” Pfeiffer says.

Many choose a combination of these approaches — a hybrid model that covers risk in multiple ways. For example, “joint or self-insurance funds may rely on private insurance for higher or excess levels of coverage,” Pfeiffer says.

“I may self-insure for $50,000 and pay a premium for membership in a joint self-insurance pool that will cover the next $500,000. The pool will then go to the private insurance market for anything above that,” he adds.

What Are the Challenges to Getting Cyber Insurance for Municipalities? 

It is becoming increasingly difficult for municipalities to find affordable cyber insurance, or any cyber insurance at all. “Insurance companies have had much more experience in payouts, and they’re not in business to lose money,” Shark says.

“Some insurance carriers have actually pulled out of the whole business of cyber insurance for municipalities. They find the risk is just too much for them,” he says. In other cases, they’ve scaled back coverage levels.

“A policy that would provide coverage for $2 million or $5 million has now been reduced considerably, while at the same time the cost of premiums has gone up dramatically, so you’re paying more for less,” Shark says.

Plus, those insurers who still offer coverage are making it harder to get. Applications may encompass hundreds of detailed technical and operational questions. Embedded within those questions will be minimum standards — cybersecurity expectations that municipalities need to meet, to even be considered for coverage.

“Don’t go looking for cyber insurance if you don’t have multifactor authentication in place,” Reynolds says. “Other things that are considered minimum standards are phishing testing of your employees, as well as making sure your backups are totally disconnected from the network. They’re also asking for the documentation on how quickly you are putting in critical patches when a vulnerability is found in software or in an operating system.”

There’s an upside to this, she says, because meeting these requirements will naturally make a city or county more cyber-resilient. But the minimum standards still act as a barrier to less sophisticated municipalities that are trying to offset their cybersecurity risks.

As cybercrime continues to escalate, it just gets harder to find coverage. “As claims costs go up, rates go up, and some companies drop out, which makes it easier for the remaining insurers to raise their rates,” Pfeiffer says. “Right now, insurance is very expensive, and there are fewer companies selling it than before.”

EXPLORE: What are the top five questions a cybersecurity assessment should answer?

Pros and Cons of Cybersecurity Insurance for Municipalities

Given the challenging marketplace for cyber insurance, municipal leaders need to consider the pros and cons of cyber coverage.

In the plus column: Insurance mitigates risk. “If I’m a city or county manager, my responsibility is to protect that entity the best way I can,” Shark says. “When the cyber criminals have become far more sophisticated and the attacks are far greater, it’s not a time to cut back.”

Another big benefit has to do with the services that insurers provide in addition to the financial coverage in a cyber policy.

“Many insurance providers include in their policies some very valuable expertise in areas that you as a municipality or county might not have on staff,” Reynolds says. “When there’s an incident, you call the insurance company, and they have a team that can jump right in and assist. They can provide forensic expertise. They can provide expertise as you go through recovery, including communications and notifications. If it’s been a breach, then their legal advice is invaluable.”

On the negative side, there’s the ever-increasing cost of coverage, the shrinking range of available options and the sheer technical complexity of applying for a policy. Another negative effect emerges when cities try to use insurance in lieu of implementing cyber safeguards.

“One possible con has to do with relying on insurance to bail you out. It’s not meant to do that,” Reynolds says. “If you state that you have all those best practices in place, and then you have an incident and it turns out you didn’t, that’s not good. The claim’s going to be denied, and you’re probably going lose your insurance. You can’t rely on insurance to bail you out if you’re not doing best practices.”

The best way to approach the cybersecurity insurance question, experts say, is to put in place a robust cybersecurity strategy to both reduce your risk and shrink the premiums you’ll pay for coverage.

Municipalities “need to consider how much they can do on their own,” Pfeiffer says. “If you ramp up your cyberdefenses, then you’re reducing the risks, so you want to look at how well you protect yourself. Then you can make a judgment call as to where you don’t want to absorb some risk, and maybe pay somebody else to take that risk for you.”

DIVE DEEPER: Learn how zero trust will evolve in 2022 for state and local agencies.