Cyber insurance continues to be one of the hot topics in the property and casualty (P&C) insurance industry today. As a relatively new coverage (circa 20 years1), cyber insurance pricing can be difficult. In fact, due to a recent higher frequency of cyberattacks,2 direct written premiums for the largest cyber insurance writers increased by 92% in 2021 from 2020 levels.3 Increased cyberattack frequency affected all industries; however, some industries experienced larger increases than others. According to Check Point Research,4 the government and military industry experienced the second-highest average number of weekly attacks in 2022 (and a 44% increase from 2021 levels), behind only the education and research industry.
This increase in premiums was driven by significant rate hikes in response to these increases in claim activity; it was not due to insurers’ expanding into new business areas.5 Due to differing changes in cyber claim activity by industry, I was curious as to how cyber insurers were varying their rates by industry, in particular for public entities. I reviewed 10 publicly available cyber rate filings that varied their rates for public entities (often specifically “municipalities”). In five out of these 10 filings, municipalities were priced in the highest industry tier (i.e., highest risk). In three filings, municipalities were priced in the second-highest tier, behind hospitals and nursing homes. The remaining two filings both specifically excluded underwriters from writing municipality business. For cyber insurers that did write municipality business, the relativities varied significantly, with factors adjusting the base class ranging from 2 to over 12! With rates for municipalities potentially being 12 times higher than the base business class, I decided to investigate why cyber insurance premiums for municipalities and public entities are higher than for other industries.
Reason #1: Public entities store sensitive information
Public entities use and store data that is highly coveted by cybercriminals. This includes personal identifiable information (PII) such as Social Security numbers, as well as other important documents such as tax records.6 These personal documents can be used in a variety of ways, such as identity theft, if they get into the wrong hands.
Reason #2: Limited resources
Due to limited resources, public entities may not necessarily be able to update their cybersecurity infrastructure.7 According to a survey conducted by the National League of Cities (NLC), 67% of municipalities said that the budget was not large enough to properly secure data.8 Additionally, over half surveyed believed that cybersecurity budgets and policies were not considered a priority by elected officials. According to a cybersecurity study conducted by Deloitte,9 most states only allocated less than 3% of their total IT budget to cybersecurity. In budgeting for information technology (IT), municipalities spend a significantly smaller percentage of budget or revenue as compared to other businesses. These percentages are displayed in the graph in Figure 1.
Figure 1: Percentage of Budget/Revenue on IT
Municipalities from https://www.infosecurity-magazine.com/opinions/municipalities-managing-cyber-risk/.
Businesses from https://onserve.ca/how-much-should-a-small-business-spend-on-information-technology/.
With a significantly smaller percentage of budget and revenue going to IT (and only 3% of the 0.1% going to cybersecurity), it’s clear that limited resources are contributing to public entities being a frequent target of cyberattacks. However, there is some good news related to public entity cybersecurity. According to the NLC survey, over 75% of local governments have a cybersecurity plan. However, even though there is a plan in place, public entities are often lagging behind their private counterparts when it comes to updating the cybersecurity plan. Of the 75% surveyed that have a cyber security plan, only 68% reviewed the plan in the last year. According to the NLC survey, annual audits of cybersecurity plans are a best practice, so it is troublesome to see that one-third do not perform annual audits.
In an attempt to close the gap in cybersecurity resources between public entities and other industries, the U.S. Department of Homeland Security announced a new cybersecurity grant program in September 2022.10 This grant is specific to public entities across the United States and will distribute $1 billion over four years. The grant requires states to distribute at least 80% of the funds to local governments. There are currently 19,429 municipalities in the United States.11 This implies the average total payout for the four-year period would be between $41,000 to $52,000 (or around $10,000 to $13,000 each year). These amounts, while not immaterial, are most likely not enough to substantially improve cybersecurity infrastructure and training.
Reason #3: Lack of cybersecurity education
Even if a public entity has a cybersecurity plan, employees need to be aware of potential vulnerabilities such as phishing, which can lead to attacks such as ransomware. According to NetDiligence,12 “most security breaches can be traced back to a failure of people or process—not technology.” NetDiligence further explains that “data breach studies consistently show that the primary risk to most organizations is the people who work there.” So having employees properly trained on the dos and don’ts of cybersecurity is an important way to prevent data breaches.
According to the NLC survey, 76% of those surveyed provide employee awareness training for cyberattacks. Fortunately, 80% of those that do offer this training provide ongoing training at least once a year. However, this means that nearly 40% of all municipalities (100% - 76% x 80%) either do not train their employees or train their employees infrequently. Some of those surveyed also mention that training is only provided at onboarding, which can become a significant risk as cybercriminals may change their approaches over time.
Reason #4: Potential public scrutiny
In dealing with the public, there comes an increased scrutiny after a cyberattack. Public entities may feel pressured to deal with the cyberattack quickly,13 in order to prevent any further disruptions and delays. This includes paying a ransom, which can be costly for the victim. From 2018 to 2020, ransomware attacks against U.S. government organizations cost over $52 billion14.
Even though public entities store important and sensitive information, the main goal of these cyberattacks is to cause interruptions and stop normal processes.15 Were a municipality’s systems to go down, many normal services that the public relies on would be unavailable and could potentially cause chaos. This is one of the many reasons why public entities are frequently targeted.
With all these reasons leading to higher cyber costs for public entities, let’s take a look at some of the cyber market trends affecting public entities.
Public entity cyber market trends
While the majority of cyber insurance policyholders (for all types of industries) experienced rate increases,16 public entities have experienced rate increases larger than other industries, due to poorer risk management and cybersecurity practices, as well as being a more popular target to cybercriminals. For example, one county in South Carolina learned that its premiums increased by 300%!17 Public entity risk pools, which are groups of public entities (usually in the same state) that form to reduce and stabilize insurance costs,18 were also subject to significant rate hikes. Local Government Insurance Trust, a public entity risk pool in Maryland, experienced a rate increase of 300%.19 For public entities (and pools) with a strict budget for cybersecurity, 300% rate increases are unaffordable. According to Loretta Worters, spokesperson for the Insurance Information Institute, “To reduce risk and potential losses, insurers are becoming more diligent during the application process about which safeguards and technology an organization uses to protect itself against cyberattacks”.20 If public entities don’t have these security measures addressed, they may be subject to lower limits or potential nonrenewal.
According to AMWINS,21 the current commercial cyber market for public entities is challenging. Aggregate limits are fairly low, rarely exceeding $5 million. Additionally, retentions are higher, with some public entities required to retain the first $1 million of a cyber event. For example, one public entity risk pool’s limits decreased from $1 million to $250,000, along with the deductible increasing from $5,000 to $25,000.
As mentioned above, some carriers will not write policies for public entities. Others will only write policies for those public entities with proper controls, such as “implementing encrypted data backup, multi-factor authentication, data segmentation, and password policies.”22 Due to the state of the traditional commercial market, many specialized public entity risk pools are beginning to offer cyber coverage to their members. Because public entity risk pools underwrite specifically for the risks that public entities face, they can help provide more tailored coverage needs.
The good news is that, even with increasing premiums and potential nonrenewals, a growing percentage of public entities insure their cyber risks. According to the 2021 National Survey of Local Government Cybersecurity Programs and Cloud Initiative,23 90% of local governments surveyed had cyber insurance. This was an increase from 2020, when 78% responded having cyber insurance. However, 69% of those that purchased cyber insurance in 2021 experienced rate increases from the prior year.
How can public entities lower their cyber insurance costs?
There are two ways for public entities to lower their cyber insurance costs. The first is to change their coverage structures. One possible strategy for municipalities is to retain a working layer (e.g., $25,000), then purchase a policy that covers the layer from the working layer to a specific limit (e.g., $1 million). This example of coverage could potentially help lower premium to public entities that experienced extreme rate increases recently.
The second and arguably the best way for public entities to lower their cyber insurance costs is to lower their losses. For a coverage such as general liability, lowering losses can be achieved by implementing effective risk management procedures. Cyber insurance is no different. To decrease loss activity, public entities need to improve their cybersecurity programs and protocols, especially those that are lacking in reasons #2 and #3 above.
So how exactly can public entities improve their cybersecurity? The New Hampshire Municipal Association lays out the following best practices for cybersecurity24:
1. Cybersecurity assessment: Public entities need to conduct comprehensive risk assessments to identify any vulnerabilities in their programs and procedures. This includes identifying “the types of sensitive information that each department collects, where it is maintained, and who has access to that information within the organization,” as well as “conducting an inventory of all hardware and software components to determine the types of hardware and software the organization is currently using and identifying any risks to data and existing hardware and software.”
2. Security initiatives: Once the assessment is conducted and vulnerabilities are identified, public entities can implement several security initiatives. The first of these is a password management policy, for which employees should use “hard-to-guess” passwords. Additionally, “same or similar passwords should never be used for different accounts or applications and sharing of passwords should be prohibited.” Passwords should also be changed often at a regular frequency.
The second item to implement would be multifactor authentication, which “requires a user to supply additional information besides just a username and password before being allowed to login to an account or gain access to a network or system.” Adding multifactor authentication leads to heightened security that can help protect the sensitive data and information that public entities typically store.
The third item is encryption, which is where sensitive information is unreadable without a password. Encryption adds another layer of protection when storing the public’s sensitive information.
The fourth and final item is to keep current with security updates. Software that is not current can more easily be taken advantage of by hackers and cybercriminals. Having employees consistently update their devices can lead to stronger cyber resiliency.
3. Employee education and training: As mentioned in reason #3 above, most security breaches are caused by employee actions rather than technological vulnerabilities. Having all employees regularly trained in cybersecurity processes and procedures can help minimize cyberattacks such as phishing. With regular training, employees will be more aware of how to identify potential phishing scams.
4. Other processes and procedures: The New Hampshire Municipal Association also includes several other processes and procedures that can best help prevent cyber losses. The first of these is backing up data. In the instance there is a successful cyberattack, having a data backup will allow the public entity to get back on its feet and help to minimize any potential losses. The second of these is having cybersecurity policies and procedures in place. As mentioned above, 75% of public entities already have cybersecurity plans in place, so most public entities are already in good position in the event of a cyberattack. One specific policy that can prevent sensitive data getting into the wrong hands “is by having an access management policy, granting access to confidential data and critical IT systems only to those employees who need it as necessary to fulfill their job responsibilities.” A public entity’s cybersecurity plan must also include an incident response plan that is “a step-by-step plan to determine the nature and extent of the incident, specifying the actions to be taken and identifying the roles of key employees, vendors, and other stakeholders for each step in the plan.”
Even if these cybersecurity best practices have been implemented, the cyber premium decreases would not be fully realized for several years. The actuary estimating the premium relativities typically requires several years of data to have confidence (called “credibility”) that the best practices have been successful and that it is reasonable to expect lower loss activity to continue. Once the lower losses have been evident, the rate relativities will decrease closer to the relativities of other industries. However, an underwriter may recognize the implementation of better risk management practices initially through schedule rating, given the assumption that the improvement in the data will soon be evident through lower future loss experience.
With the current state of the cyber insurance market, as well as budgetary restrictions, public entities face a continuing uphill battle when it comes to managing cyber insurance premiums. Due to the nature of their business, public entities will always have access to sensitive information that is a target for hackers and cybercriminals. However, through implementing best practices, public entities can improve their historical loss experience, which can help lower premiums in the future. Similar to other insurance coverages, effective implementation of risk management processes and procedures is key to decreasing claim activity.
1 U.S. Government Accountability Office (July 19, 2022). Rising Cyberthreats Increase Cyber Insurance Premiums While Reducing Availability. Retrieved March 23, 2023, from https://www.gao.gov/blog/rising-cyberthreats-increase-cyber-insurance-premiums-while-reducing-availability.
2 Brooks, C. (June 3, 2022). Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know. Forbes. Retrieved March 23, 2023, from https://www.forbes.com/sites/chuckbrooks/2022/06/03/alarming-cyber-statistics-for-mid-year-2022-that-you-need-to-know/?sh=2c18245f7864.
3 Rundle, J. & Uberti, D. (May 18, 2022). Cyber Insurers Raise Rates Amid a Surge in Costly Hacks. Wall Street Journal. Retrieved March 23, 2023, from https://www.wsj.com/articles/cyber-insurers-raise-rates-amid-a-surge-in-costly-hacks-11652866200.
4 Check Point. Check Point Research: Weekly Cyber Attacks Increased by 32% Year-Over-Year; 1 Out of 40 Organizations Impacted by Ransomware. Retrieved March 23, 2023, from https://blog.checkpoint.com/2022/07/26/check-point-research-weekly-cyber-attacks-increased-by-32-year-over-year-1-out-of-40-organizations-impacted-by-ransomware-2/.
5 Rundle, J. & Uberti, D. (May 18, 2022), op cit.
6 ProWriters. Cyber Insurance for Public Entities – The Consequences of a Cyber Attack. Retrieved March 23, 2023, from https://prowritersins.com/products/cyber-insurance-coverage/public-entity-cyber-insurance/.
7 Chancey, T. (August 24, 2022). Municipal Ransomware Attacks: How Local Governments Can Prevent Cyber Crime. Scarlett Cybersecurity. Retrieved March 23, 2023, from https://www.scarlettcybersecurity.com/municipal-ransomware-attacks.
8 NLC (2019). Protecting Our Data: What Cities Should Know About Cybersecurity. Retrieved March 23, 2023, from https://www.nlc.org/wp-content/uploads/2019/10/CS-Cybersecurity-Report-Final_0.pdf.
9 2020 Deloitte-NASCIO Cybersecurity Study. Retrieved March 23, 2023, from https://www2.deloitte.com/content/dam/insights/us/articles/6899_nascio/DI_NASCIO_interactive.pdf.
10 Cybersecurity and Infrastructure Security Agency. State and Local Cybersecurity Grant Program. Retrieved March 23, 2023, from https://www.cisa.gov/cybergrants.
11 Wikipedia: Local government in the United States. Retrieved March 23, 2023, from https://en.wikipedia.org/wiki/Local_government_in_the_United_States.
12 NetDiligence (December 19, 2017). Public Entities and Cyber Security. Retrieved March 23, 2023, from https://netdiligence.com/blog/2017/12/public-entities-and-cyber-security/.
13 Jacob, D. (March 25, 2020). Public entities are under (cyber)attack. ALM PropertyCasualty360. Retrieved March 23, 2023, from https://www.propertycasualty360.com/2020/03/25/public-entities-are-under-cyberattack/.
14 SunGard AS (February 10, 2021). Ransomware attacks against U.S. government entities: 5 key observations and takeaways for municipalities. Retrieved March 23, 2023, from https://www.sungardas.com/en-us/blog/ransomware-attacks-on-us-government-entities/.
15 NetDiligence (December 19, 2017), op cit.
16 U.S. Government Accountability Office (May 2021). Cyber Insurance: Insurers and Policyholders Face Challenges in an Evolving Market. Retrieved March 23, 2023, from https://www.gao.gov/assets/gao-21-477.pdf.
17 Bergal, J. (July 27, 2022). Cyber Insurance Price Hike Hits Local Governments Hard. Pew Charitable Trust. Retrieved March 23, 2023, from https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2022/07/27/cyber-insurance-price-hike-hits-local-governments-hard.
18 NLC (2014). Fact Sheet: Public Entity Risk Pools. Retrieved March 23, 2023, from https://www.nlc.org/wp-content/uploads/2020/10/Fact_Sheet-3.docx. (Microsoft Word download)
19 Noble, A. (November 16, 2021). Cyber Insurance for Local Governments Costs More, Covers Less. Route Fifty. Retrieved March 23, 2023, from https://www.route-fifty.com/tech-data/2021/11/cyber-insurance-local-governments-costs-more-covers-less/186882/. .
20 Bergal, J. (July 27, 2022), op cit.
21 Weller, D. (October 19, 2021). Security Is Key to Accessing Public Entity Cyber Liability Insurance. AMWINS. Retrieved March 23, 2023, from https://www.amwins.com/resources-insights/article/security-is-key-to-accessing-public-entity-cyber-liability-insurance.
22 Keenan Blog (February 23, 2022). Schools May Not Receive Cyber Coverage Without Implementing Cyber Controls by July 1. Retrieved March 23, 2023, from https://www.keenan.com/Knowledge-Center/Blog/Details/schools-may-not-receive-cyber-coverage-without-implementing-cyber-controls-by-july-1.
23 CompTIA-PTI. 2021 National Survey of Local Government Cybersecurity and Cloud Initiatives. Retrieved March 23, 2023, from https://comptiacdn.azureedge.net/webcontent/docs/default-source/research-reports/pti-2021-cybersecurity-report-final.pdf?sfvrsn=fbe93818_2.
24 Thompson, L.N. Cybersecurity Best Practices for Municipalities. New Hampshire Municipal Association. Retrieved March 23, 2023, from https://www.nhmunicipal.org/town-city-article/cybersecurity-best-practices-municipalities.