Public entities are under (cyber)attack

No one is immune to cyberattacks, but the risks are only expected to increase in the coming years.

Municipalities and public entities are usually targeted because they provide services to the public, adding pressure to pay the ransom. They also tend to have lower levels of security. (Photo: Shutterstock)

While Jan. 1, 2020, signaled the start of a new decade, it also marked the modern internet’s 37th birthday. Since its conception, the internet revolutionized how the world stayed connected; today, it is virtually intertwined with nearly everything we, as a society, do.

Although the expansion of the internet has benefited the billions of people who use it regularly, it has also resulted in an increase of cyberattacks on individuals, businesses, cities and other public entities that rely on the internet in some capacity. Cyberattacks are nearly as old as the internet itself, but what has changed in recent years is the frequency and costs that arise after such an event. Of the 15 largest data breaches in history, 10 took place in the past decade, according to Business Insider.

“Cyberattacks, in general, are a manifestation of the way that crime has changed over the course of the past 10 years,” says James Burns, cyber product leader at CFC Underwriting Ltd.

As criminal activity has transitioned to the digital climate, the public sector has been a frequent target: major cities like Baltimore and Houston as well as small towns like Erie, Colo., and Lake City, Fla., are just a few locations that have suffered attacks recently; schools and utilities have also been targeted.

Municipalities and public entities are likely targeted specifically for two reasons. First, these entities are likely to provide services to the public; when they come under attack, “it tends to generate a level of scrutiny,” says Burns, which can increase pressure to deal with the attack as quickly as possible — often by paying a cybercriminal’s ransom demand. “The other reason, I think, predominately is the relatively low level of security maturity we see in a lot of public sector organizations,” adds Burns. Schools, cities and municipalities tend to have less money to invest in their information technology infrastructure compared to private sector organizations, leaving them more susceptible to cyberattacks.

The multiple levels of cyberattacks

As cyberattacks have proliferated, attention has turned to the root cause. As a result, more focus has been given to ransomware, possibly because “the main tool used by hackers is normally ransomware,” says Burns. There are various forms of ransomware, but it typically involves some sort of malicious software that is able to encrypt data or lock the victim out of their system unless they pay the ransom. Ryuk is the most common type of ransomware that CFC has seen recently as it “has become quite notorious for attacking large organizations and governmental and municipal networks,” says Burns.

Preparing for data breaches, ransomware incidents and spoofing attacks are all legitimate concerns for organizations with limited resources. However, there are multiple levels to consider, says Willy Leichter, vice president of marketing & product management at Virsec.

The first level is ransomware because it doesn’t require a lot of technical proficiency, but it has a lot of potential to be monetized; according to the Allianz Risk Barometer for 2020, ransom demands today can be in the millions, while five years ago a typical demand would have been in the tens of thousands of dollars.

The second level includes more sophisticated attacks that are trying to burrow into infrastructure and get as much intelligence about what’s going on. Leichter says they’re very patient attackers, adding that unless they make a mistake and are exposed, it can be years before they’re discovered. “There is a lot of malware out there that is in our infrastructure that hasn’t reared its head yet, but it has the potential to be remotely controlled and activated to do something bad,” says Leichter.

Another concern is a new class of attacks called memory-based attacks that infiltrate software while it’s running, as opposed to some virus that comes in on a disk or USB that “explodes when plugged in.” Leichter says these attacks often steer information to the wrong memory location — like with the WannaCry and NotPetya attacks.

“That’s kinda the new frontier,” says Leichter.

While most attacks tend to have a financial motive, some attacks are politically or ideologically motivated in order to simply cause the destruction of systems. Leichter says examples of attacks that fit these criteria haven’t been worst-case scenarios, but it doesn’t take a lot to cause disruption and fear. For example, if a power grid went down for a few hours, the psychological impact and damage can be significant from a relatively short disruption period.

The big picture

The effects of a cyberattack are immediate, especially when ransomware is involved. In May 2019, hackers infiltrated the city of Baltimore’s computer systems and demanded 13 bitcoins — the form of currency typically preferred by cybercriminals — but Mayor Bernard C. “Jack” Young refused to pay; according to The Baltimore Sun, the city’s budget office has estimated that the ransomware attack on city computers will cost at least $18.2 million, a combination of lost or delayed revenue and direct costs to restore systems.

The Baltimore cyberattack is a perfect example of the cost of a cyberattack being more than the ransom, but also the time, effort and expertise needed to get a system and operations up and running again. Then there are costs related to business interruption, fines and penalties from regulatory bodies, potential class-action lawsuits in the event sensitive data is compromised and much more.

“It isn’t just ransomware and the cost of paying a ransom. It’s the operational disruption, it’s the system rebuild, and it’s the cost associated with [a] data breach, which can hit really hard as well,” says Burns.

Coverage solutions

The high costs associated with cyberattacks are likely why many insurance carriers are willing to pay out ransoms. The Federal Bureau of Investigation advises against paying ransoms because it doesn’t guarantee an organization will get its data back, and it may embolden cybercriminals even further.

However, law enforcement’s perspective is “don’t negotiate with terrorists,” says Brad Keenan, assistant vice president at Keenan and Associates, an Assured Partners subsidiary that focuses on providing insurance and financial solutions for schools, public agencies and health care organizations in California. “But insurance carriers are really not looking at it from that perspective. They’re looking at it from the financial risk and exposure they have.”

Although there are so many different policies and insurers offering cyber coverage, there are a few things a good standalone cyber insurance policy should cover. The three main components should focus on network security and data privacy, business interruption coverage, and cyber extortion coverage to deal with ransomware, says David Finz, Allianz Global Corporate and Specialty Deputy regional head of product development for financial lines in North America. He adds that the types of claims typically seen parallel the components of cyber insurance that is available.

The cyber insurance market is still very young, and the industry is still learning a lot about what the risks are and how to calculate them. For now, many claims are generally not denied as “cyber carriers are still pretty willing to pay for a claim,” says Keenan. Finz would also agree with this assessment, but he emphasized that there are two narratives regarding the denial of claims. The first is that there have been very few denials of claims that are made under a cyber policy. The other narrative in the risk management community is that insurance companies don’t pay cyber claims; he says this stems from the fact that more publicized disputes involved cyber claims reported under other types of policies like general liability or property, which are not designed to pick up the types of exposures that a cyber insurance product is designed for.

Insuring the future

If cities and public entities aren’t covered by cyber insurance already, the recent wave of attacks should act as a wake-up call for them. But even when they do have coverage, they shouldn’t rely on it as a catch-all solution.

Instead, cyber risk needs to become a part of the overall risk management strategy, threat assessments should be regularly evaluated, and employees should be trained in proper cyberhygiene to minimize human errors. This allows insurance to act as a backstop rather than the “first line of defense,” says Finz.

The future is far from certain, but the next big cyberattack is all but guaranteed. While cybersecurity has become a mainstream discussion, cities, schools and other public entities continue to lag behind in their preparation. The risks that exist in our digital landscape will only proliferate going forward, making cyber insurance all the more important in the future.

“I think cyber insurance going mainstream is going to be an important part of protecting organizations and enabling them to do what they do moving forward,” says Burns.

Denny Jacob (djacob@alm.com) is an associate editor for NU PropertyCasualty360.

Related: