Municipal governments are prime targets for cybercriminals. In 2021, there were at least 77 successful attacks on local and state governments and another 88 on school districts, colleges, and universities, with costs ranging as high as $18 million in lost revenue and system restoration expenses.1 Last year, one Connecticut town spent over $500,000 in legal fees and technology costs to recover their systems and resume normal business operations. As such, many towns and cities rely on cyber insurance to cover them in the event of a cyber-attack. However, in recent years, insurance companies have doubled cyber insurance premiums and implemented strict requirements for specific security controls that municipalities must have before obtaining cyber insurance. Providers are cracking down on poor cyber hygiene and will not cover organizations that do not implement basic safeguards.
So, what can cities and towns do to make sure that they are able to be able to obtain coverage? Cybersecurity experts at Novus Insight, Inc.—an East Hartford-based consulting firm and managed services provider—say it all starts with knowing your technology assets and sensitive data. “Maintaining an accurate inventory of sensitive data records is critical to rightsizing insurance policies,” says Greg Bugbee, Chief Technology Officer at Novus, and a Certified Information Systems Security Professional® (CISSP). “Insurance providers will ask, ‘How many unique sensitive records do you have?’ They use this data to calculate premiums and understand how many people would require identity protection in case of a breach.”
When trying to determine what data systems are in scope, Bugbee says, it is important to include the data stored by the municipality and the data given to third parties on behalf of the municipality. “If you enter data into a system, you are responsible, to an extent, for the security of that data. If you have a login, you are a data owner/operator. The third party is simply a custodian. They have some responsibility,” Bugbee cautioned, “but in a breach, everyone is investigated. Municipalities should ensure they have a clearly defined shared responsibility model that delineates what the town is responsible for versus what the vendor is responsible for.”
For municipalities obtaining cyber insurance or trying to renew their policy, Bugbee encourages municipal leaders to remember that pooled policies can be quickly exhausted in case of a multi-town breach. “Make sure you have enough and appropriate coverage,” he says, “municipalities need enough coverage to conduct a forensic investigation, recover operations, and provide identity protection to those whose personal information has been breached.”
If you want more information on how your town can prepare to obtain or renew your cyber insurance coverage, contact Novus Insight at sales@novusinsight.com or (860) 282-4200.
For some helpful resources regarding minimum security best practices for municipal governments, municipalities may consider joining MS-ISAC. As a member, municipalities gain access to various free resources from the Center for Internet Security (CIS) and Cybersecurity and Infrastructure Security Agency (CISA). MS-ISAC (cisecurity.org)
Note: Staff from Novus Insights wrote this post.
