How to Decrease Cyber Insurance Premiums for Municipalities?

Cyber insurance is a hot topic in the property and casualty (P&C) insurance industry. Given the novelty of cyber insurance, finding affordable protection might be difficult. (around 20 years1 ). In actuality, the recent increase in the frequency of cyberattacks2 impacted all businesses, while some witnessed bigger hikes than others, leading to a 92% increase in the direct written premiums of the top cyber insurance writers in 2021 compared to levels in 2020.

Check Point Research4 found that in 2022, the government and military sector witnessed a 44% spike from 2021 levels, making it the sector with the second-highest average weekly assault rate, behind only the education and research sector.

Because of the variations in cyber claim activity by industry, particularly for public companies, I was curious as to how cyber insurers were charging differently across sectors.5 This rise in rates was not the result of insurers entering new markets but rather of major rate rises in reaction to rising claim activity.

I analyzed 10 openly available cyber rate filings from various government agencies (sometimes referred to as “municipalities”) and found a wide range of prices. In five of these 10 reports, municipalities were billed at the maximum possible rate. (i.e., highest risk).

In three instances, municipalities were placed in the second highest rank, behind only hospitals and nursing homes. Both of the remaining files flat-out forbade insurers from taking municipal contracts. There was a wide range in base class adjusting factors for cyber insurers that wrote municipal business, from 2 to over 12!

Considering that the cost of cyber insurance for municipalities is anywhere from two to twelve times that of the basic business class, I felt it was important to learn more about this discrepancy.

Reason #1: Governmental institutions keep sensitive data

Public organizations utilize and keep data that is highly sought after by cybercriminals. This includes sensitive information like tax returns and other pieces of personal information (PII) like Social Security numbers.6 These sensitive files might be used for identity theft and other illegal activities if they fall into the wrong hands.

Reason #2: Resources are scarce

67 percent of municipalities surveyed by the National League of Cities (NLC) reported that their budgets were insufficient to ensure the security of sensitive information, and more than half of respondents believed that elected officials did not give cybersecurity budgets and policies a high priority.

According to studies conducted by Deloitte, states spend less than 3% of their total IT expenditure on cybersecurity. When compared to private companies, municipal governments allocate a far smaller portion of their funds or revenue to IT.

Given that a far smaller share of budget and revenue goes to IT (and only 3% of the 0.1% go to cybersecurity), it is clear that a lack of resources leads to public organizations being frequent targets of cyberattacks. There have been some promising advances in public sector cybersecurity.

The NLC survey found that almost three-quarters of all local governments had some sort of cybersecurity strategy. Public sector enterprises sometimes lag behind private sector competitors in updating the cybersecurity plan, despite having a strategy in place. Even while 75% of respondents reported having a cyber security plan, only 68% said they had examined it in the preceding year. The NLC survey found that just two-thirds of businesses conducted annual audits of their cybersecurity plans, which is concerning given that this is considered best practice.

The United States is working to close the gap in cybersecurity funding between government agencies and private sector companies. The Department of Homeland Security (DHS) announced a new cybersecurity grant program10 in September 2022, allocating $1 billion over four years to government agencies around the US.

In order to obtain the grant money, states must distribute at least 80% of it to local governments. There are 19,429 municipalities in the USA, thus the average compensation over four years will be $41,000 to $52,000 (or around $10,000 to $13,000 annually). Not negligible, but definitely not enough to dramatically improve cybersecurity education and infrastructure.

Reason #3: Insufficient cybersecurity training

Even if a government agency has a cybersecurity plan, employees must be aware of vulnerabilities like phishing that can lead to attacks like ransomware. Having staff adequately informed on the dos and don’ts of cybersecurity is a vital strategy to prevent data breaches, since studies reveal that the greatest risk to most firms is the individuals who work there. Most security breaches, as stated by NetDiligence12, may be traced back to human error or a breakdown in procedure rather than a technical flaw.

According to the NLC survey, over eighty percent of businesses provide some form of cyber security training for employees. Fortunately, 80% of organizations that offer such training do so on a yearly basis. But this also means that more than 40% of all cities (100% – 76% x 80%) either don’t train their employees or just train them sometimes. In addition, the study’s respondents suggest that only during onboarding is training provided, which is dangerous because hackers’ tactics evolve over time.

Reason #4: The prospect of public scrutiny

After a hack, people are more cautious while interacting with the general public. Public institutions may feel compelled to act swiftly13 in response to the attack in order to prevent further disruptions and delays. The victim may be shocked at the cost of the ransom. Ransomware strikes on US government institutions cost taxpayers more than $52 billion from 2018 to 202014.

Cybercriminals target government agencies because of the sensitive and vital information they store.15 If a municipality’s systems were down, many normal services that the public relies on would be unavailable, which may possibly lead to anarchy. This is one of the reasons why government agencies are frequently attacked.

In light of these variables that are adding to the expense of cyber for government agencies, it is important to examine recent trends in the cyber market and how they affect government agencies.

Trends in the public entity cyber market

While the majority of cyber insurance policyholders (across all industries) have seen rate increases16, public entities have seen rate increases that are greater than those in other industries due to poorer risk management and cybersecurity practices and being a more popular target for cybercriminals.

For instance, in one South Carolina county, rates increased by 300 percent. Public entity risk pools, groups of government agencies (often within the same state) who band together to negotiate better insurance rates for their employees, have also seen significant hikes in their premiums. There was a 300 percent increase in premiums for the Local Government Insurance Trust of Maryland, a public entity risk pool.Public organizations (and pools) with limited resources for cybersecurity cannot afford such a significant increase in rates (19).

According to Loretta Worters, a spokesman for the Insurance Information Institute: “Public entities that do not address these security measures may be subject to reduced limits or even nonrenewal.” Insurers are getting more thorough in asking about a company’s cybersecurity measures and technology in the application process in an effort to decrease risk and potential losses.

According to AMWINS21, government agencies are having a hard time navigating the current commercial cyber sector. Limits in the aggregate often don’t go higher than $5 million. However, retention regulations have expanded, and now some publicly traded corporations must retain the first $1 million of each cyber event. For instance, the limitations on one public entity risk pool were reduced from $1 million to $250,000, while the deductible was raised from $5,000 to $25,000.

As was previously said, there are insurers who refuse to provide policies to government agencies. For others, developing regulations for government agencies is contingent on their already having taken precautions like “implementing encrypted data backup, multi-factor authentication, data segmentation, and password policies.”22 A number of public entity risk pools are beginning to offer cyber insurance to its members as a result of the situation of the traditional commercial market.

Since public entity risk pools underwrite specifically for the risks that public entities encounter, they can help provide more tailored coverage needs.

Despite rising premiums and potential nonrenewals, the good news is that a growing number of public entities are insuring themselves against cyber hazards. In the National Survey of Local Government Cybersecurity Programs and Cloud Initiative23 conducted in 2021, 90% of responding local governments reported having cyber insurance.

A rise from the 78% who anticipated having cyber insurance in 2020. However, 69% of those who purchased cyber insurance in 2021 saw price increases compared to the previous year.

How can public organizations cut the price of their cyber insurance?

Government agencies may lower the cost of their cyber insurance in two ways. The first step is for them to update their protection plans. Municipalities can opt to preserve a “working layer,” often between $25,000 and $1 million, and then purchase a policy that provides coverage up to that maximum amount. For government agencies that have seen their insurance rates rise dramatically, this type of protection may be able to bring those costs down.

The second, and arguably most effective, way for publicly traded corporations to lower their cyber insurance premiums is to reduce their losses. Losses for policies like general liability can be decreased with the use of effective risk management practices. Cyber insurance is the same way. In order to mitigate the losses caused by the aforementioned causes #2 and #3, public sector firms must improve their cybersecurity strategies and procedures.

In what specific ways, then, should government agencies improve their cybersecurity? The New Hampshire Municipal Association recommends the following measures to ensure data security:

Evaluation of Cyber Safety :

Government agencies should conduct comprehensive risk studies to identify potential points of failure in their policies and practices. This requires things like “identifying the types of sensitive information that each department collects, where it is maintained, and who has access to that information within the organization” and “conducting an inventory of all hardware and software components to determine the types of hardware and software the organization is currently using and identifying any risks to data and existing hardware and software.”

Safety precautions:

Once the assessment is complete and vulnerabilities are identified, public entities can use a variety of security solutions. The first is a policy for managing passwords that requires employees to use “hard-to-guess” passwords. It’s also important to regularly change your passwords. Using the same or similar passwords for several accounts or applications is also strongly prohibited, as is passing these passwords around to many people.

Public institutions generally retain sensitive data and information, and adding multifactor authentication can help safeguard it. To connect to an account or get access to a network or system using multifactor authentication, “a user is required to supply additional information beyond just a username and password.”

Encryption, making private information unreadable without a passcode, is the third component. Encryption provides an extra layer of protection when storing private data that the public has access to.

As a last and fifth tip, it’s important to always install new security patches. Older versions of software are easier for hackers and fraudsters to exploit. If workers are required to regularly upgrade their gadgets, the organization’s cyber defenses may become more robust.

Training and education for workers:

As was said in the third section, most security breaches are not the result of technical weaknesses but rather the actions of the employees themselves. Regular employee training on cybersecurity processes and standards has the potential to lessen the occurrence of cyberattacks like phishing. Regular training can help staff members spot potential phishing attempts.

Additional procedures:

The New Hampshire Municipal Association also provides a list of other measures that may be taken to minimize the likelihood of cybercrime. The first of these is backing up your data. In the case of a successful cyberattack, having a backup of the organization’s data will help it recover swiftly and do as little harm as possible. The implementation of cybersecurity policies and procedures is the second. As was previously said, most public institutions are ready for a cyberattack because 75% of public corporations now have cybersecurity procedures in place.

An incident response plan, as defined as “a step-by-step plan to determine the nature and extent of the incident, specifying the actions to be taken, and identifying any follow-up actions that may be necessary,” must be included in any public entity’s cybersecurity plan. “having an access management policy, granting access to confidential data and critical IT systems only to those employees who need it as necessary to fulfill their job responsibilities,” is an example of a policy that can protect sensitive information from getting into the wrong hands.

Reductions in cyber premiums would take time to fully materialize, even with the implementation of these best practices for cyber security. The actuary evaluating the premium relativities frequently need a large amount of historical data before they can be certain (also known as “credible”) that best practices have been effective and that lower loss activity will continue.

As the reduced losses become obvious, the rate of relativities will decrease and approach the relativities of other businesses. However, if an underwriter uses schedule rating and anticipates that data will improve due to fewer future losses, then they may be able to detect the use of superior risk management practices at an earlier stage.

Conclusion

Governments still have trouble keeping cyber insurance costs in check due to the current state of the insurance industry and limited funding. Because of their very nature, public institutions will perpetually be in possession of highly confidential data that is a prime target for hackers and cybercriminals.

By implementing best practices, public organizations can improve their loss history, which in turn can help to lower premiums in the future. Claims activity may be reduced by the adoption of risk management principles, just as it can be with other types of insurance. Read our detailed explanation of how cyber insurance shields you from the financial impact of business interruptions.

Reference

¹ U.S. Government Accountability Office (July 19, 2022). Rising Cyberthreats Increase Cyber Insurance Premiums While Reducing Availability. Retrieved March 23, 2023, from https://www.gao.gov/blog/rising-cyberthreats-increase-cyber-insurance-premiums-while-reducing-availability.

² Brooks, C. (June 3, 2022). Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know. Forbes. Retrieved March 23, 2023, from https://www.forbes.com/sites/chuckbrooks/2022/06/03/alarming-cyber-statistics-for-mid-year-2022-that-you-need-to-know/?sh=2c18245f7864.

³ Rundle, J. & Uberti, D. (May 18, 2022). Cyber Insurers Raise Rates Amid a Surge in Costly Hacks. Wall Street Journal. Retrieved March 23, 2023, from https://www.wsj.com/articles/cyber-insurers-raise-rates-amid-a-surge-in-costly-hacks-11652866200.

⁴ Check Point. Check Point Research: Weekly Cyber Attacks Increased by 32% Year-Over-Year; 1 Out of 40 Organizations Impacted by Ransomware. Retrieved March 23, 2023, from https://blog.checkpoint.com/2022/07/26/check-point-research-weekly-cyber-attacks-increased-by-32-year-over-year-1-out-of-40-organizations-impacted-by-ransomware-2/.

⁵ Rundle, J. & Uberti, D. (May 18, 2022), op cit.

⁶ ProWriters. Cyber Insurance for Public Entities – The Consequences of a Cyber Attack. Retrieved March 23, 2023, from https://prowritersins.com/products/cyber-insurance-coverage/public-entity-cyber-insurance/.

⁷ Chancey, T. (August 24, 2022). Municipal Ransomware Attacks: How Local Governments Can Prevent Cyber Crime. Scarlett Cybersecurity. Retrieved March 23, 2023, from https://www.scarlettcybersecurity.com/municipal-ransomware-attacks.

⁸ NLC (2019). Protecting Our Data: What Cities Should Know About Cybersecurity. Retrieved March 23, 2023, from https://www.nlc.org/wp-content/uploads/2019/10/CS-Cybersecurity-Report-Final_0.pdf.

⁹ 2020 Deloitte-NASCIO Cybersecurity Study. Retrieved March 23, 2023, from https://www2.deloitte.com/content/dam/insights/us/articles/6899_nascio/DI_NASCIO_interactive.pdf.

¹⁰ Cybersecurity and Infrastructure Security Agency. State and Local Cybersecurity Grant Program. Retrieved March 23, 2023, from https://www.cisa.gov/cybergrants.

¹¹ Wikipedia: Local government in the United States. Retrieved March 23, 2023, from https://en.wikipedia.org/wiki/Local_government_in_the_United_States.

¹² NetDiligence (December 19, 2017). Public Entities and Cyber Security. Retrieved March 23, 2023, from https://netdiligence.com/blog/2017/12/public-entities-and-cyber-security/.

¹³ Jacob, D. (March 25, 2020). Public entities are under (cyber)attack. ALM PropertyCasualty360. Retrieved March 23, 2023, from https://www.propertycasualty360.com/2020/03/25/public-entities-are-under-cyberattack/.

¹⁴ SunGard AS (February 10, 2021). Ransomware attacks against U.S. government entities: 5 key observations and takeaways for municipalities. Retrieved March 23, 2023, from https://www.sungardas.com/en-us/blog/ransomware-attacks-on-us-government-entities/.

¹⁵ NetDiligence (December 19, 2017), op cit.

¹⁶ U.S. Government Accountability Office (May 2021). Cyber Insurance: Insurers and Policyholders Face Challenges in an Evolving Market. Retrieved March 23, 2023, from https://www.gao.gov/assets/gao-21-477.pdf.

¹⁷ Bergal, J. (July 27, 2022). Cyber Insurance Price Hike Hits Local Governments Hard. Pew Charitable Trust. Retrieved March 23, 2023, from https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2022/07/27/cyber-insurance-price-hike-hits-local-governments-hard.

¹⁸ NLC (2014). Fact Sheet: Public Entity Risk Pools. Retrieved March 23, 2023, from https://www.nlc.org/wp-content/uploads/2020/10/Fact_Sheet-3.docx. (Microsoft Word download)

¹⁹ Noble, A. (November 16, 2021). Cyber Insurance for Local Governments Costs More, Covers Less. Route Fifty. Retrieved March 23, 2023, from https://www.route-fifty.com/tech-data/2021/11/cyber-insurance-local-governments-costs-more-covers-less/186882/. .

²⁰ Bergal, J. (July 27, 2022), op cit.

²¹ Weller, D. (October 19, 2021). Security Is Key to Accessing Public Entity Cyber Liability Insurance. AMWINS. Retrieved March 23, 2023, from https://www.amwins.com/resources-insights/article/security-is-key-to-accessing-public-entity-cyber-liability-insurance.

²² Keenan Blog (February 23, 2022). Schools May Not Receive Cyber Coverage Without Implementing Cyber Controls by July 1. Retrieved March 23, 2023, from https://www.keenan.com/Knowledge-Center/Blog/Details/schools-may-not-receive-cyber-coverage-without-implementing-cyber-controls-by-july-1.

²³ CompTIA-PTI. 2021 National Survey of Local Government Cybersecurity and Cloud Initiatives. Retrieved March 23, 2023, from https://comptiacdn.azureedge.net/webcontent/docs/default-source/research-reports/pti-2021-cybersecurity-report-final.pdf?sfvrsn=fbe93818_2.

²⁴ Thompson, L.N. Cybersecurity Best Practices for Municipalities. New Hampshire Municipal Association. Retrieved March 23, 2023, from https://www.nhmunicipal.org/town-city-article/cybersecurity-best-practices-municipalities.