Cost-Effective Strategies for How to decrease cyber insurance premiums for municipalities?

Author:

Published:

Updated:

How to decrease cyber insurance premiums for municipalities

As an affiliate, we may earn a commission from qualifying purchases. We get commissions for purchases made through links on this website from Amazon and other third parties.

One of the most popular subjects in today’s property and casualty (P&C) insurance market is still cyber insurance. Cyber insurance prices can be challenging since it is a relatively new coverage (around 20 years1 ). In reality, the major cyber insurance writers’ direct written premiums rose by 92% in 2021 compared to levels in 2020 as a result of the recent rise in the frequency of cyberattacks2, which affected all industries, albeit some saw greater rises than others.

The government and military sector, which saw a 44% increase from 2021 levels, had the second-highest average weekly assault rate in 2022, behind only the education and research sector, according to Check Point Research4.

I was interested in how cyber insurers were varying their rates by industry because of the different changes in cyber claim activity by industry, especially for public entities.5 This increase in premiums was caused by significant rate hikes in response to these increases in claim activity, not by insurers expanding into new business areas.

I looked at ten publicly available cyber rate filings with varying rates for public bodies, frequently “municipalities.” Municipalities were charged the highest industry tier prices in five of these ten filings (i.e., highest risk).

Municipalities were rated in the second-highest tier in three cases, after hospitals and nursing institutions. The two remaining files both expressly prohibited underwriters from writing business for municipalities. The relativities differed dramatically for cyber insurers who did write municipal business, with base class adjusting factors ranging from 2 to over 12!

I made the decision to look into why cyber insurance premiums for municipalities and other public bodies are greater than for other businesses since prices for municipalities might be 12 times higher than the base company class.

Reason #1: Governmental institutions keep sensitive data

Governmental institutions keep sensitive data

Data that is particularly sought after by hackers is used and stored by public institutions. This includes personal information (PII) like Social Security numbers as well as other crucial data like tax returns.6 If these private records get into the wrong hands, they might be exploited for a range of crimes including identity theft.

Reason #2: Resources are scarce

Public organizations may not always be able to update their cybersecurity infrastructure due to a lack of funding, as evidenced by the National League of Cities (NLC) survey, which found that 67% of municipalities said their budgets were insufficient to adequately secure data, and that more than half of respondents thought elected officials did not place a high priority on cybersecurity budgets and policies.

Most states only spent less than 3% of their overall IT budget on cybersecurity, according to Deloitte research on cybersecurity. Municipalities spend a substantially lower percentage of their budget or income on information technology (IT) than other businesses.

It is obvious that a lack of resources contributes to public institutions being a frequent target of cyberattacks given that a far lower portion of budget and income go to IT (and only 3% of the 0.1% go to cybersecurity). In terms of cybersecurity for public entities, there are some encouraging developments.

Around 75% of local governments have a cybersecurity plan, according to the NLC poll. Although a strategy is in place, public organizations frequently fall behind their private counterparts in updating the cybersecurity plan. Just 68% of the 75% of respondents who have a cyber security strategy have evaluated it in the past year. Annual audits of cybersecurity strategies are a best practice, according to the NLC poll, thus it is alarming to see that one-third of organizations do not carry out such audits.

The United States is making an effort to bridge the cybersecurity resource gap between governmental institutions and other businesses. In September 2022, the Department of Homeland Security unveiled a brand-new cybersecurity grant program10 that would give $1 billion over four years to public institutions all throughout the country.

States must transfer at least 80% of the grant money to local governments in order to receive it. The United States has 19,429 towns, which means the average total payout over the course of four years will be between $41,000 and $52,000 (or around $10,000 to $13,000 each year). Although not insignificant, these sums are probably insufficient to significantly enhance cybersecurity training and infrastructure.

Reason #3: Insufficient cybersecurity training

Insufficient cybersecurity training

Employees must be aware of possible weaknesses like phishing, which can result in assaults like ransomware, even if a public institution has a cybersecurity plan. Data breach studies consistently show that the primary risk to most organizations is the people who work there, so having employees properly trained on the dos and don’ts of cybersecurity is an important way to prevent data breaches. According to NetDiligence12, “most security breaches can be traced back to a failure of people or process—not technology.”

The NLC poll found that 76% of respondents offer staff awareness training for cyberattacks. Luckily, at least once a year of continuous training is provided by 80% of those who do give this training. This indicates that, however, over 40% of all municipalities (100% – 76% x 80%) either do not train their staff or train them seldom. Also, some respondents to the study indicate that training is only offered during onboarding, which poses a serious danger because hackers may alter their strategies over time.

Reason #4: The prospect of public scrutiny

After a hack, there is more vigilance when engaging with the public. Public organizations can feel under pressure to respond to the hack quickly13 in order to avoid any more hiccups and delays. This includes paying a ransom, which the victim may find expensive. Ransomware assaults on US government agencies cost taxpayers more than $52 billion from 2018 to 202014.

Although public institutions house sensitive and essential data, the major objective of these cyberattacks is to disrupt regular operations.15 If a municipality’s systems were down, many regular services that the public relies on would be unavailable, which could possibly lead to anarchy. One of the numerous factors contributing to the frequent targeting of governmental corporations is this.

Let’s look at some of the cyber market developments that have an impact on public organizations in light of all these factors driving up the cost of cyber for public entities.

Trends in the public entity cyber market

Trends in the public entity cyber market

Public entities have seen rate increases that are greater than those in other industries, due to poorer risk management and cybersecurity practices as well as being a more popular target for cybercriminals, despite the fact that the majority of cyber insurance policyholders (for all types of industries) have experienced rate increases16.

One South Carolina county discovered that its rates had jumped by 300%, for instance. Significant rate increases were also applied to public entity risk pools, which are associations of public organizations (often located in the same state) formed to lower and stabilize insurance costs. Maryland’s Local Government Insurance Trust, a public entity risk pool, had a rate rise of 300%.19 Rate hikes of that magnitude are prohibitive for public institutions (and pools) with constrained budgets for cybersecurity.

Public entities that don’t address these security measures may be subject to lower limits or even nonrenewal, according to Loretta Worters, spokesperson for the Insurance Information Institute: “To reduce risk and potential losses, insurers are becoming more diligent during the application process about which safeguards and technology an organization uses to protect itself against cyberattacks”20.

The present commercial cyber market for government bodies is difficult, according to AMWINS21. Average aggregate limits seldom surpass $5 million. Nevertheless, retention requirements have increased, with certain public companies being forced to keep the first $1 million of a cyber incident. One public entity risk pool, for instance, saw its limits drop from $1 million to $250,000 while the deductible increased from $5,000 to $25,000.

Certain insurance companies, as was already said, won’t write coverage for public institutions. Others will only create policies for public entities that have the necessary safeguards in place, such as “implementing encrypted data backup, multi-factor authentication, data segmentation, and password policies.”22 As a result of the state of the traditional commercial market, a number of specialized public entity risk pools are starting to provide cyber insurance to their members.

Public entity risk pools can assist in providing more specialized coverage requirements since they underwrite especially for the risks that public entities experience.

The good news is that an increasing number of public bodies cover their cyber risks, despite rising rates and likely nonrenewals. 90% of local governments polled in the 2021 National Survey of Local Government Cybersecurity Programs and Cloud Initiative23 have cyber insurance.

A higher percentage than in 2020, when 78% said they had cyber insurance. Nonetheless, rate hikes from the previous year were seen by 69% of individuals who bought cyber insurance in 2021.

How can public organizations cut the price of their cyber insurance?

How can public organizations cut the price of their cyber insurance

There are two approaches for government organizations to reduce the price of their cyber insurance. The first is to modify their insurance policies. Municipalities may choose to keep a working layer (such as $25,000), then buy a policy that extends coverage from the working layer to a predetermined cap (such as $1 million). This kind of coverage may be able to reduce premiums for public bodies that recently faced significant rate hikes.

Reducing losses is the second, and perhaps greatest, strategy for public companies to cut their cyber insurance expenses. By putting in place efficient risk management methods, losses can be reduced for a policy like a general liability. The same applies to cyber insurance. Public organizations must strengthen their cybersecurity plans and processes, especially those that fall short for reasons #2 and #3 above, to reduce loss activities.

So how precisely might government organizations strengthen their cybersecurity? The New Hampshire Municipal Association outlines the following cybersecurity best practices:

1. Cybersecurity assessment: To find any weaknesses in their processes and procedures, public bodies must perform thorough risk analyses. This involves “conducting an inventory of all hardware and software components to determine the types of hardware and software the organization is currently using and identifying any risks to data and existing hardware and software,” as well as “identifying the types of sensitive information that each department collects, where it is maintained, and who has access to that information within the organization.”

2. Security measures: Public bodies can put in place a number of security measures when the evaluation is done and vulnerabilities are found. The first of them is a password management policy that mandates “hard-to-guess” passwords for usage by staff. Passwords should also be updated often and on a regular basis. Moreover, “same or similar passwords should never be used for various accounts or apps and sharing of passwords should be discouraged.”

Adding multifactor authentication results in increased security that can help protect the sensitive data and information that public entities typically store. Multifactor authentication “requires a user to supply additional information besides just a username and password before being allowed to login to an account or gain access to a network or system.”

The third thing is encryption, which is the process of rendering confidential data unintelligible without a password. When keeping sensitive information for the general public, encryption offers an additional degree of security.

Keeping up with security updates is the final and fourth point. Hackers and fraudsters can more readily take advantage of outdated software. Stronger cyber resilience might result from requiring employees to update their devices often.

3. Employee education and training: As was indicated in reason #3 above, employee behavior rather than technical flaws is the primary cause of most security breaches. Cyberattacks like phishing may be reduced by routinely training all staff in cybersecurity protocols and procedures. Employees will be better equipped to recognize possible phishing attacks with frequent training.

4. Additional practices: The New Hampshire Municipal Association also lists a number of other practices that can be the most effective in preventing cyber damage. Creating a data backup is the first of these. Having a data backup will assist the public organization to recover quickly and minimize any possible damages in the event of a successful cyberattack. Putting cybersecurity rules and processes in place is the second of them. As 75% of public companies currently have cybersecurity policies in place, as was already noted, most public entities are prepared for a cyberattack.

A public entity’s cybersecurity plan must also include an incident response plan, which is “a step-by-step plan to determine the nature and extent of the incident, specifying the actions to be taken and identifying any follow-up actions that may be necessary.” One specific policy that can prevent sensitive data from falling into the wrong hands is “having an access management policy, granting access to confidential data and critical IT systems only to those employees who need it as necessary to fulfill their job responsibilities.”

Even with the application of these cybersecurity best practices, the reductions in cyber premiums would take some time to completely materialize. In order to have confidence (also known as “credibility”) that best practices have been successful and that it is fair to expect decreased loss activity to continue, the actuary assessing the premium relativities often needs many years of data.

The rate of relativities will decline closer to the relativities of other industries as the lower losses become apparent. Nonetheless, an underwriter could be able to see the installation of superior risk management techniques early using schedule rating if they make the assumption that the data would soon improve as a result of fewer future losses.

Conclusion

Public bodies continue to struggle with controlling cyber insurance rates due to the existing situation of the market for insurance as well as budgetary constraints. Public entities will always have access to sensitive information that is a target for hackers and cybercriminals due to the nature of their operation. Public organizations can improve their past loss experience, which can assist to reduce premiums in the future, by putting best practices into place. Similar to other insurance coverages, reducing claim activity requires the effective application of risk management practices. Check out our guide to How Cyber Insurance Protects Against Business Interruption Losses?

Reference

1 U.S. Government Accountability Office (July 19, 2022). Rising Cyberthreats Increase Cyber Insurance Premiums While Reducing Availability. Retrieved March 23, 2023, from https://www.gao.gov/blog/rising-cyberthreats-increase-cyber-insurance-premiums-while-reducing-availability.

2 Brooks, C. (June 3, 2022). Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know. Forbes. Retrieved March 23, 2023, from https://www.forbes.com/sites/chuckbrooks/2022/06/03/alarming-cyber-statistics-for-mid-year-2022-that-you-need-to-know/?sh=2c18245f7864.

3 Rundle, J. & Uberti, D. (May 18, 2022). Cyber Insurers Raise Rates Amid a Surge in Costly Hacks. Wall Street Journal. Retrieved March 23, 2023, from https://www.wsj.com/articles/cyber-insurers-raise-rates-amid-a-surge-in-costly-hacks-11652866200.

4 Check Point. Check Point Research: Weekly Cyber Attacks Increased by 32% Year-Over-Year; 1 Out of 40 Organizations Impacted by Ransomware. Retrieved March 23, 2023, from https://blog.checkpoint.com/2022/07/26/check-point-research-weekly-cyber-attacks-increased-by-32-year-over-year-1-out-of-40-organizations-impacted-by-ransomware-2/.

5 Rundle, J. & Uberti, D. (May 18, 2022), op cit.

6 ProWriters. Cyber Insurance for Public Entities – The Consequences of a Cyber Attack. Retrieved March 23, 2023, from https://prowritersins.com/products/cyber-insurance-coverage/public-entity-cyber-insurance/.

7 Chancey, T. (August 24, 2022). Municipal Ransomware Attacks: How Local Governments Can Prevent Cyber Crime. Scarlett Cybersecurity. Retrieved March 23, 2023, from https://www.scarlettcybersecurity.com/municipal-ransomware-attacks.

8 NLC (2019). Protecting Our Data: What Cities Should Know About Cybersecurity. Retrieved March 23, 2023, from https://www.nlc.org/wp-content/uploads/2019/10/CS-Cybersecurity-Report-Final_0.pdf.

9 2020 Deloitte-NASCIO Cybersecurity Study. Retrieved March 23, 2023, from https://www2.deloitte.com/content/dam/insights/us/articles/6899_nascio/DI_NASCIO_interactive.pdf.

10 Cybersecurity and Infrastructure Security Agency. State and Local Cybersecurity Grant Program. Retrieved March 23, 2023, from https://www.cisa.gov/cybergrants.

11 Wikipedia: Local government in the United States. Retrieved March 23, 2023, from https://en.wikipedia.org/wiki/Local_government_in_the_United_States.

12 NetDiligence (December 19, 2017). Public Entities and Cyber Security. Retrieved March 23, 2023, from https://netdiligence.com/blog/2017/12/public-entities-and-cyber-security/.

13 Jacob, D. (March 25, 2020). Public entities are under (cyber)attack. ALM PropertyCasualty360. Retrieved March 23, 2023, from https://www.propertycasualty360.com/2020/03/25/public-entities-are-under-cyberattack/.

14 SunGard AS (February 10, 2021). Ransomware attacks against U.S. government entities: 5 key observations and takeaways for municipalities. Retrieved March 23, 2023, from https://www.sungardas.com/en-us/blog/ransomware-attacks-on-us-government-entities/.

15 NetDiligence (December 19, 2017), op cit.

16 U.S. Government Accountability Office (May 2021). Cyber Insurance: Insurers and Policyholders Face Challenges in an Evolving Market. Retrieved March 23, 2023, from https://www.gao.gov/assets/gao-21-477.pdf.

17 Bergal, J. (July 27, 2022). Cyber Insurance Price Hike Hits Local Governments Hard. Pew Charitable Trust. Retrieved March 23, 2023, from https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2022/07/27/cyber-insurance-price-hike-hits-local-governments-hard.

18 NLC (2014). Fact Sheet: Public Entity Risk Pools. Retrieved March 23, 2023, from https://www.nlc.org/wp-content/uploads/2020/10/Fact_Sheet-3.docx. (Microsoft Word download)

19 Noble, A. (November 16, 2021). Cyber Insurance for Local Governments Costs More, Covers Less. Route Fifty. Retrieved March 23, 2023, from https://www.route-fifty.com/tech-data/2021/11/cyber-insurance-local-governments-costs-more-covers-less/186882/. .

20 Bergal, J. (July 27, 2022), op cit.

21 Weller, D. (October 19, 2021). Security Is Key to Accessing Public Entity Cyber Liability Insurance. AMWINS. Retrieved March 23, 2023, from https://www.amwins.com/resources-insights/article/security-is-key-to-accessing-public-entity-cyber-liability-insurance.

22 Keenan Blog (February 23, 2022). Schools May Not Receive Cyber Coverage Without Implementing Cyber Controls by July 1. Retrieved March 23, 2023, from https://www.keenan.com/Knowledge-Center/Blog/Details/schools-may-not-receive-cyber-coverage-without-implementing-cyber-controls-by-july-1.

23 CompTIA-PTI. 2021 National Survey of Local Government Cybersecurity and Cloud Initiatives. Retrieved March 23, 2023, from https://comptiacdn.azureedge.net/webcontent/docs/default-source/research-reports/pti-2021-cybersecurity-report-final.pdf?sfvrsn=fbe93818_2.

24 Thompson, L.N. Cybersecurity Best Practices for Municipalities. New Hampshire Municipal Association. Retrieved March 23, 2023, from https://www.nhmunicipal.org/town-city-article/cybersecurity-best-practices-municipalities.

About the author

Leave a Reply

Your email address will not be published. Required fields are marked *

Latest posts