As state and local governments face a troubling increase in cybercrime threats and attacks, researchers from the University of Maryland characterize the state of local government cybersecurity in the United States as “appalling.”

The following are a few key findings from the University of Maryland’s first-ever nationwide survey on local government cybersecurity, conducted in 2016 in partnership with the International City/County Management Association:

• Extorting ransom was the most common reason for cyberattacks on city, town or county government agencies, accounting for nearly one-third of all attacks, followed by mischief, and theft of private information.
• More than a third of local governments (38 percent) were relying on technology that was at least one generation out of date, and fewer than half had bought cybersecurity insurance, which can help cover the costs of responding to a major attack.
• Increased awareness among local government employees, greater funding, and better cybersecurity policies were rated as the most important factors to ensure the highest level of cybersecurity for local governments.

Threats to municipalities
According to the FBI, the current leading cyberthreats to state and local governments include ransomware, payroll account hijacking, unauthorized wire transfers, illicit access to “internet of things” devices, and insider threats.

The city of Atlanta was the victim of a ransomware attack on March 22 that took many of the city’s services offline for nearly a week. During this time, the police had to revert to taking written case notes. Atlanta’s administration has disclosed little about the financial impact or scope of the ransomware hack, but information released at budget briefings confirms that it may be the worst cyberattack on any U.S. city.

The information technology agency in the state of Texas reports that it blocks billions of instances of malicious traffic per year, with an average of 3 billion monthly intrusion attempts at last check. The city of Fort Worth alone sees about 15,000 attacks every day.

Cyber breaches in Massachusetts
Hackers and perpetrators of cybercrimes are taking aim at local government networks, which can be relatively easy for them to breach.

Some examples in Massachusetts include the following:

• In one central Massachusetts city, a ransomware attack in April resulted in a $10,000 bitcoin payment to anonymous extortionists. The attack, which locked all of the school district’s computers, was carried out by a party demanding payment to return the computer system to normal. The ransom was paid out of the city’s general fund, and access to most of the school district’s computers was restored following the payment.
• The Boston Globe reported that a Norfolk County town paid a ransom demand of about $300 to a cybercrime gang in December 2017 after one of its servers was infected with ransomware.
• A Worcester County town’s public television station was hit with a ransomware attack in March 2017. According to an article in the Worcester Telegram, “the station’s feed to the site was ‘ransomwared,’” and it took about six months to recover from their server being compromised.
• Governing magazine reported in May 2017 that another Worcester County town’s school department was hit by a ransomware attack about a year and a half ago. The IT director said he doesn’t want town offices to have to go through that kind of situation. “Just the work required to get things back up and running is so time intensive,” he said. “Plus, any files that aren’t able to be backed up are just lost.”

Cyber liability coverage
Cyber liability coverage offers protection when claims are made against an organization for monetary damages arising out of an electronic information security event. The insurance provides access to funds and, in many cases, experts to help manage the response and resolve the breach.

There are certain conditions that must be met before a policy is issued, which helps to set the threshold for the cybersecurity of a municipality or organization and its suppliers. Cyber liability insurance can identify vulnerable software providers and hold people accountable for doing their job properly.

Policies are typically designed to protect against liability associated with unauthorized release of confidential information, violation of a person’s right to privacy, personal injury in an electronic/social media environment, intellectual property infringement, and violations of state or federal privacy laws.

A cyber liability policy, which can be customized to needs and budget, can cover costs, up to predetermined limits, such as the following:

• Legal costs to defend suits brought by affected parties
• Affected party notification (printing, advertising, mailing of materials, emailing, etc.)
• Credit monitoring and identity-theft education and assistance
• Incident investigation/computer forensic analysis
• Identity and data recovery
• Computer system repairs and/or new equipment
• Downtime costs (inability to operate and conduct transactions)

It is important to keep in mind that cyberattacks can result in more than monetary losses, exposure of sensitive data, and networked systems damage. When critical systems at hospitals, police and fire departments, or vital infrastructure systems such as water, electricity and natural gas are attacked, public safety and individual welfare can be put at risk.

In addition, government agencies already constrained by limited financial and IT staff resources may be severely affected by the time and labor required during the recovery process.

MIIA’s new CyberNET coverage, for example, is tailored to meet the needs of municipalities. According to MIIA Executive Vice President Stan Corcoran, MIIA’s pre-loss risk management, combined with its post-loss legal and IT assistance and expertise, puts CyberNET among the most comprehensive coverage offerings available.

Who’s responsible for cybersecurity?
Cybersecurity is the responsibility of the entire chain of elected and appointed officials in local governments. It is no longer just the IT department’s problem, and preventing future attacks requires intergovernmental cooperation, because municipalities often work together across state lines and collaborate with the federal government on crucial tasks such as running elections, managing transportation, and sharing intelligence.

Obtaining a cybersecurity policy can strengthen your systems via the underwriting process and can provide expert resources badly needed in many towns.

Municipalities are advised to consult with their insurance provider for more information and best practices for protecting their communities from cybersecurity breaches.

Written by Stephen Batchelder, MIIA’s Director of Claims and Risk Management Operations.

Written by