Security

State and Local Governments Fortify Defenses to Reduce Cyber Insurance Costs

Agencies can ensure appropriate coverage with thorough documentation of assets and defenses.

Jon Mazella is director of state and local government at CDW•G.

In North Dakota, CISO Michael Gregg is running a security operations center that benefits his state and local government agency partners in several ways.

Agencies often have trouble hiring qualified cybersecurity staff, Gregg says. By manning a highly capable security operations center, Gregg relieves his North Dakota peers of that challenge. The centralized North Dakota SOC also provides highly effective managed services for state and local agencies. By subscribing to these services, eligible agencies receive a discount on their cybersecurity insurance.

Through a deal with the North Dakota Insurance Reserve Fund, agencies that use the state’s SOC service get a 4 percent reduction in their insurance costs.

“The cost of cyber insurance has doubled or tripled over just the past year or two. But agencies can get our expertise and our tools for free while also reducing their insurance costs through our delivery of these SOC capabilities,” Gregg says. “They lower their overall costs over time.”

Robust SOC capabilities are key to state and local cyberdefenses. Government IT leaders can realize economies of scale by obtaining SOC services through a centralized state resource or an expert vendor. Either way, state and local agencies can reduce insurance costs by demonstrating strong cybersecurity defenses. In many cases, they cannot even qualify for cyber insurance coverage without doing so.

Click the banner below to receive curated security content by becoming an Insider.

Cyber Insurance Providers Are Wary of Ransomware Payouts

In 2021, 3 in 10 government organizations reported paying ransomware to restore encrypted data, according to Sophos. Government organizations paid $213,000 in ransom on average that year.

A Sophos report titled “The State of Ransomware in State and Local Government 2022” notes that 80 percent of state and government organizations have obtained cyber insurance for coverage against ransomware attacks (the cross-sector average was 83 percent). To lower cyber insurance costs, state and local agencies have fortified their cybersecurity defenses, the report notes: “96% have upgraded their cyber defenses to secure coverage.”

State and local government organizations experienced an “above-average rate of ransomware payout by insurance providers,” as insurance companies paid out in 49 percent of ransomware attacks, versus 40 percent across all sectors.

Policies have become more expensive, and requirements have become stricter in the face of these payouts. Agencies that lack strong cybersecurity protection can find it difficult to obtain adequate coverage.

Documenting strong cybersecurity protections can help governments acquire sufficient cyber insurance. Documentation may include certifying capabilities for patch management, asset management, multifactor authentication and more. Agencies should also procure and document annual third-party penetration tests and additional assessments to identify vulnerabilities.

The cost of cyber insurance has doubled or tripled over just the past year or two.”

Michael Gregg CISO, North Dakota

Insurance Qualifications May Prove Daunting for Local Governments

Local governments with limited resources may find it increasingly difficult to buy cyber insurance. In a recent GCN webinar, Dallas CISO Brian Gardner said that insurance providers ask governments to submit detailed responses to questionnaires about their capabilities. They may also ask about intangible factors such as technical debt, added Rita Reynolds, CIO of the National Association of Counties.

Legacy systems carry a significant amount of technical debt, which includes the cost of additional work required to enable those systems to operate in modern environments. Technical debt only increases in the face of cybersecurity workforce shortages. A New York City utility, for example, has 14 different legacy SCADA systems that it depends upon to operate its systems through different parts and pieces. How does the agency really know what’s in its environment? How has it arrayed its resources around protecting those assets?

In 2021, American International Group, a large cyber insurance provider, raised its rates 40 percent globally. It also bolstered its requirements for obtaining cyber insurance. According to a report by the Pew Charitable Trusts, Horry County, S.C., saw its cyber insurance premium rise from $70,000 in 2021 to $210,000 in 2022.

LEARN ABOUT: Why strong asset management is a must for successful continuous monitoring.

Build a Cybersecurity Strategy with a Comprehensive Approach

CDW•G has developed a full-stack approach to cybersecurity capabilities, including ransomware mitigation and data protection. We call this approach SPEAR.

Here is how SPEAR breaks down:

Scan for risk. Assessments evaluate an agency’s overall security posture.
Prepare for the worst. Calculated solutions and services help governments avoid, transfer or mitigate risk.
Expose the threat. Targeted solutions and services expose the active attack in the public sector environment.
Assess the response. A dedicated team partners with an agency to contain and eradicate an attack.
Recover and remediate. Services and playbooks help IT leaders quickly restore operational capability and remediate any system impact.

Ransomware, of course, remains a particularly dire threat against state and local government systems, which often do not patch or update software as quickly as in the private sector. In addition, ransomware dramatically shuts down government services, making its presence felt promptly among citizens trying to conduct business and agencies striving to serve them.

State and local governments can cover their bases by turning to a qualified managed service provider with a comprehensive approach to establishing and maintaining cyberdefenses.

This article is part of StateTech’s CITizen blog series. Please join the discussion on Twitter by using the #StateLocalIT hashtag.