What Are the Challenges to Getting Cyber Insurance for Municipalities?
It is becoming increasingly difficult for municipalities to find affordable cyber insurance, or any cyber insurance at all. “Insurance companies have had much more experience in payouts, and they’re not in business to lose money,” Shark says.
“Some insurance carriers have actually pulled out of the whole business of cyber insurance for municipalities. They find the risk is just too much for them,” he says. In other cases, they’ve scaled back coverage levels.
“A policy that would provide coverage for $2 million or $5 million has now been reduced considerably, while at the same time the cost of premiums has gone up dramatically, so you’re paying more for less,” Shark says.
Plus, those insurers who still offer coverage are making it harder to get. Applications may encompass hundreds of detailed technical and operational questions. Embedded within those questions will be minimum standards — cybersecurity expectations that municipalities need to meet, to even be considered for coverage.
“Don’t go looking for cyber insurance if you don’t have multifactor authentication in place,” Reynolds says. “Other things that are considered minimum standards are phishing testing of your employees, as well as making sure your backups are totally disconnected from the network. They’re also asking for the documentation on how quickly you are putting in critical patches when a vulnerability is found in software or in an operating system.”
There’s an upside to this, she says, because meeting these requirements will naturally make a city or county more cyber-resilient. But the minimum standards still act as a barrier to less sophisticated municipalities that are trying to offset their cybersecurity risks.
As cybercrime continues to escalate, it just gets harder to find coverage. “As claims costs go up, rates go up, and some companies drop out, which makes it easier for the remaining insurers to raise their rates,” Pfeiffer says. “Right now, insurance is very expensive, and there are fewer companies selling it than before.”
EXPLORE: What are the top five questions a cybersecurity assessment should answer?
Pros and Cons of Cybersecurity Insurance for Municipalities
Given the challenging marketplace for cyber insurance, municipal leaders need to consider the pros and cons of cyber coverage.
In the plus column: Insurance mitigates risk. “If I’m a city or county manager, my responsibility is to protect that entity the best way I can,” Shark says. “When the cyber criminals have become far more sophisticated and the attacks are far greater, it’s not a time to cut back.”
Another big benefit has to do with the services that insurers provide in addition to the financial coverage in a cyber policy.
“Many insurance providers include in their policies some very valuable expertise in areas that you as a municipality or county might not have on staff,” Reynolds says. “When there’s an incident, you call the insurance company, and they have a team that can jump right in and assist. They can provide forensic expertise. They can provide expertise as you go through recovery, including communications and notifications. If it’s been a breach, then their legal advice is invaluable.”
On the negative side, there’s the ever-increasing cost of coverage, the shrinking range of available options and the sheer technical complexity of applying for a policy. Another negative effect emerges when cities try to use insurance in lieu of implementing cyber safeguards.
“One possible con has to do with relying on insurance to bail you out. It’s not meant to do that,” Reynolds says. “If you state that you have all those best practices in place, and then you have an incident and it turns out you didn’t, that’s not good. The claim’s going to be denied, and you’re probably going lose your insurance. You can’t rely on insurance to bail you out if you’re not doing best practices.”
The best way to approach the cybersecurity insurance question, experts say, is to put in place a robust cybersecurity strategy to both reduce your risk and shrink the premiums you’ll pay for coverage.
Municipalities “need to consider how much they can do on their own,” Pfeiffer says. “If you ramp up your cyberdefenses, then you’re reducing the risks, so you want to look at how well you protect yourself. Then you can make a judgment call as to where you don’t want to absorb some risk, and maybe pay somebody else to take that risk for you.”
DIVE DEEPER: Learn how zero trust will evolve in 2022 for state and local agencies.