Cyber Insurance for Municipalities: What You Need to Know
While cyber insurance policies have been in the market for a long time, it is only recently that organizations are seeing them as a necessity. In Canada, cyberattacks across the country increased by 50% in 2021.
Private companies are not the only targets. Increasingly, municipalities are being targeted by ‘cyber hackers’ with their websites being taken down, confidential data stolen, and the need to pay large sums to cybercriminals.
Cyber insurance policies are specifically designed to help organizations such as municipalities manage the costs associated with these incidents. These policies cover a wide range of costs, from legal fees associated with privacy breaches to the costs of network security incident response and more.
This article will take a closer look at cyber insurance for municipalities, and how such policies can provide peace of mind for organizations in the event that they experience a cyber incident.
Types of cybersecurity risks against municipalities
Municipalities across Canada are enticing targets for cybercriminals. They provide critical services to their constituents and have infrastructure backed by both taxpayers and larger federal governments. Below are the types of cyber breaches that municipalities have experienced across Canada.
Ransomware is one of the most common types of attacks against municipalities. Ransomware is where ‘hackers’ infect a computer system with malicious software that blocks access to that system, and then demand a large sum of money in exchange for reinstating access, effectively holding somebody’s information to ‘ransom’.
The risk of these attacks, and the costs of recovering from them, have increased since the COVID-19 pandemic. From 2020 to 2021, the average cost to recover from a ransomware attack has more than doubled from $970,722 to $2.3 million – placing a huge amount of strain on the cybersecurity budgets.
In April 2019 for example, the City of Stratford, Ontario paid a ransom of $75,000 CAD in Bitcoin after a cyberattack disabled its phone system, email system and part of its website. In 2022, the small town of St. Mary’s, Ontario was hit by a ransomware attack from the “LockBit” ransomware group. Staff were locked out of their internal systems, and data was stolen and encrypted. It was reported that the town received a ransomware demand. The LockBit group is well-known for its ransomware attacks, having also hacked into the systems of the town of Frederick, Colorado and demanding a ransom of $200,000.
‘Hacktivism’ refers to using cyberattacks as a means of promoting a social or political cause. For instance, if a government passes a controversial law, hackers may be motivated to respond in protest via a cyberattack.
While many would assume its victims are primarily state and federal governments, small towns and local governments have fallen victim to these types of attacks. Municipal governments engage in critical services for their community, ranging from the issuing of building permits and commercial licenses to collecting taxes and providing waste disposal services. Online ‘activists’ have been know to attack municipalities through the freezing of servers, defacing of websites, and compromising data.
In April 2015, for example, hacktivists took down the primary website for the U.S. city of Baltimore. This was at a time when protests were active over the death of man while in police custody. Richard Forno, a cybersecurity teacher at the University of Maryland, at the time said that we should expect these type of parallel attacks or cyberactivism to coincide with social unrest.
How can cyber insurance protect municipalities?
What does cyber insurance cover?
Cyber insurance covers both legal and operational costs associated with the recovery of cybercrime and breaches of cybersecurity. While every policy has slightly different wording and scope, they typically provide cover for the following costs.
Incident Investigation and Response
This includes the costs of accessing a cyber incident response team to diagnose and coordinate a response to a breach. It usually involves 24/7 access to a cyber incident response hotline as well as costs associated with the recovery of data, notifying members of the public about breaches, and credit monitoring.
Cyber insurance will also typically cover the costs of paying a ransom demand. For example, many cybercriminals will infiltrate a network and only provide a de-encryption key upon the payment of a sum of money or cryptocurrency.
Network Business Interruption
This includes network recovery protection costs associated with a website’s “downtime” as well as the costs of bringing a network back to being active. This not only applies in situations where a hacker has infiltrated a network and taken a site down. It can also apply in circumstances of system failure, where a bad software patch or human error has inadvertently led to a system-wide shutdown.
Privacy and Security Liability
A security breach may result in a stakeholder or member of the public filing a lawsuit over the failure to maintain confidential data. The lawsuit may allege the breach of privacy law. Cyber insurance will usually cover:
- The legal costs and court fees associated with a lawsuit or a settlement; and
- Penalties imposed by a regulatory agency as a result of breaching privacy or confidentiality laws.
In 2020, thousands of Canadian government online accounts were hacked. The targets were primarily accounts of the Canada Revenue Agency and the Employment and Social Development Canada. Hackers stole the credentials of one system, used it to attack another system, gain unauthorized access to accounts and fraudulently applied for COVID-19 benefits.
This resulted in a privacy class action filed in the Federal Court of Canada. In 2022, the Court certified the class action. This was reportedly the first time that a class action against a government was certified for negligence to safeguard financial and personal information from hackers.
Cyber insurance also covers the costs of any intellectual property infringement in the event of a cyber breach. For example, if an organization’s intellectual property is stolen as a result of a cyber breach, then cyber insurance may assist in paying for legal fees to enforce intellectual property rights.
A cyber breach may prevent an organization from fulfilling obligations pursuant to a contract. For example, a local municipality may have entered into an agreement with a bus company and have certain obligations under a written contract with that company. If a cyber breach results in that municipality unable to fulfill its contractual obligations, a cyber insurance policy may be able to cover the legal costs that flow from this.
You can speak to an insurance expert at Axxima to understand which form of cyber insurance is best for you.
What isn’t covered by cyber insurance?
While cyber insurance typically offers broad coverage, there are important exclusions to be aware of. Cyber insurance policies will generally not cover the following costs.
Future lost profits
If, as a result of a cybersecurity breach, an organization loses profits in the future, these will not be covered by cyber insurance. An example may be that a large commercial entity loses profits because the cybersecurity incident has severely damaged their reputation, leading to a loss of clients and potential future revenue.
Loss of value due to IP theft
If a hacker steals your intellectual property and this results in a significant loss in your organization’s market value, these costs will not be covered.
This involves the costs of improving internal technology systems following a cyberattack. While an organization may be trying to do the right thing by improving their cybersecurity infrastructure so that a breach does not happen again, the costs of these measures will generally not be covered.
How much does cyber insurance cost?
Will general municipal insurance or tech E&O insurance cover cyber?
Ordinary municipal insurance provides coverage for local governments from liability arising from injury and damage resulting from services, operations and products. Cyber insurance is generally excluded from coverage.
It is also important to understand that tech E&O insurance and cyber insurance are not the same thing. Tech E&O policies are specifically designed for technology companies in case they have made errors that impact their clients. It is essentially a form of professional liability insurance for technology businesses. Cyber insurance, on the other hand, protects a broader range of organizations from the impacts of cyber breaches, which may include the failure to fulfill any obligations under its contracts.
Do I really need cyber insurance?
Insurance should form a key part of any cyber security policy. Municipalities should review their policies and cyber needs as they tend to be targets from cybercriminals. There are various risks to cyber infrastructure that local governments face, including the increasing prevalence of ransomware as well as ‘hacktivism’ that arises during social unrest.
If you’re wondering if a cyber insurance policy is right for you, please get in touch with our expert team of actuaries and insurance brokers here at Axxima. Our team has specialized expertise on all things cyber insurance and will be more than happy to advise you on what type of insurance is necessary to protect your organization.