Horry County, South Carolina, got a shock earlier this year to find that their cyber insurance premium would increase from $70,000 last year to about $210,000.
And if they couldn’t meet the insurance company’s demands and prove they had the robust controls needed to protect and defend themselves against cyber-attacks, they learned, they wouldn’t be able to get their $5 million policy at all. extend.
‘The insurance companies have you covered. There wasn’t much negotiation,” said Tim Oliver, the county’s chief information officer.
In the United States, many local governments and states, as well as private companies, are in the same boat. They find that their cyber insurance premiums have skyrocketed and they must meet stricter guidelines if they want to get coverage or renew their policy.
“Cyber insurance used to be very cheap,” said Alan Shark, executive director of the CompTIA Public Technology Institute, a Washington, DC-based nonprofit that provides advisory services to local governments. “But things have changed and insurance companies are raising rates dramatically and raising the bar and making it harder to get insurance. Some local governments may not be able to get it anymore.”
Insurance industry officials say the higher premiums for both public and private organizations are the result of rising demand for coverage amid more frequent and costly cybercrime incidents, often ransomware attacks. That means insurers have had to pay out more, raising premiums and tightening policy standards. Some companies have also lowered coverage limits or limited the number of policies they write.
For example, American International Group, one of the nation’s leading cyber insurance authors, announced last August that the rates charged to its customers had increased by almost 40% worldwide and that it tightened the terms of its policies to deal with mounting cyber losses.
Over the past three years, the number of reported cyber insurance claims in the United States increased by 100% per year, according to a May report from Fitch Ratings, a rating agency. In 2021, insurers paid 8,100 claims.
To reduce risk and potential losses, insurers are increasingly careful during the application process about which safeguards and technology an organization uses to protect itself from cyberattacks, said Loretta Worters, spokesperson for the Insurance Information Institute, an industry association.
“If a government agency or a company really has such vulnerabilities and doesn’t address them, it will likely result in a higher premium or non-renewal of coverage,” Worters wrote in an email.
Businesses now want to ensure organizations have up-to-date software and firewall protection, a backup system, cyber training for staff, and vulnerability testing, among other things.
They also require organizations to use system-wide multi-factor authentication, including for remote work. Such security technology confirms a user’s identity before logging in, usually by means of a random one-time password or number sent to a smartphone or email address.
Cyber insurance typically covers a variety of services, such as providing forensic expertise to investigate the attack, legal support, hardware replacement, data recovery, and reporting people whose personal information may have been compromised. Some policies also include ransom negotiation with the hackers and payment of the ransom.
The insurance changes stem largely from the explosion of ransomware, which hijacks computer systems, encrypts data and holds it hostage until victims pay a ransom or repair the system themselves. It usually spreads through phishing, where hackers email malicious links or attachments and people unknowingly click on them, unleashing malware.
In 2020, ransomware attacks accounted for 75% of cyber insurance claims in the US, according to AM Best, a credit rating agency.
In recent years, there has been a spate of ransomware attacks on cities, state governments, school districts, law enforcement and healthcare systems. Local governments, especially smaller ones, can be easy prey as they may have fewer resources and staff with cybersecurity expertise.
According to Brett Callow, a threat analyst for cybersecurity firm Emsisoft, in 2021 there were at least 77 successful attacks on local and state governments and another 88 on school districts, colleges and universities. This year, in late June, there were at least 28 attacks on governments and 33 on schools.
In Baltimore, where thousands of computers were crippled in a massive ransomware attack in 2019, it ended up costing the city at least $18 million — a combination of lost or delayed revenue and the cost of recovering systems.
The city, which did not pay the ransom and had no cyber insurance, decided to spend about $835,000 for a year to buy $20 million to cover any additional disruptions to its networks. It continued to purchase cyber insurance annually.
Other local authorities choose to pay the ransom because they need their data back quickly and think it is the best option. Some think it would be too expensive and time consuming to start from scratch and rebuild everything from scratch.
Many local governments see cyber insurance as a necessity in the event of an attack, making it even more disturbing that their premiums have skyrocketed and there are new requirements, said Rita Reynolds, chief information officer at the National Association of Counties.
Over the past year and a half, Reynolds said that instead of answering a few questions from their cyber insurance company when it came time to renew, counties are now being asked to complete lengthy questionnaires about their security practices.
“Insurance companies say higher standards are needed at a higher cost and lower coverage,” she said. “It’s kind of a perfect storm.”
Reynolds said these new requirements aren’t necessarily negative as counties try to keep their cybersecurity up to scratch, but officials were amazed at how quickly it happened.
“It has taken a lot of us off guard a bit,” she said. “Some of the things the insurance companies want are quite easy to implement, but others can be costly and time consuming. You can’t just flip a button.”
Counties want to be protected from cyber-attacks and agree that they must do everything they can to have the right protection, Reynolds said. But those who do not or cannot do so may not be able to renew or purchase cyber insurance.
“The counties are scrambling,” Reynolds said. “And whatever you have, the premiums have doubled and sometimes tripled.”
Some local governments are switching to self-insurance, with officials putting aside a pot of money to use in the event of a cyber-attack, Reynolds says. Some join insurance pools with similar organizations and shop for bargain rates.
Oliver, the South Carolina official, said his county was not aware of changes to the policy’s requirements until two months before it was time to renew. Fortunately, he said, officials were able to answer “yes” to all initial questions about security measures. If they hadn’t, they would have been rejected.
Officials then spent the next two months answering the company’s second questionnaire, which was dozens of pages long, Oliver said. The province was able to troubleshoot and provide solutions to meet the requirements.
The provincial council had to pass a budget resolution that allowed officials to transfer money from another account to pay the $210,000 premium because it had budgeted only $70,000 for cyber insurance, he added.
Oliver said he is fortunate that his county, with a population of about 365,000 and about 3,000 employees, has four staffers dedicated to cybersecurity and the resources to pay for insurance and meet cyber defense requirements.
But smaller counties, which may not even have an information technology staff, may not be able to do that either, he noted.
“Maybe they’re unlucky,” he said. “If they can’t get cyber insurance, perhaps the only option for many of these smaller organizations is to cross their fingers and hope they don’t get hit.”
In Lehigh County, Pennsylvania, with a population of about 375,000, officials have also had a stressful time renewing their cyber insurance policy, Chief Information Officer Bob Kennedy said. About a week before Christmas 2020, they learned they wouldn’t be renewed because they didn’t have multi-factor authentication on all computers used remotely by staffers.
Fortunately, Kennedy said, the county was already planning to make those changes and had bought the necessary software. It was able to speed up the timeline and negotiate with the insurer to make the changes in February 2021 instead of January. The premium increased by 30%. And this year, he noted, the premium nearly doubled from $82,000 to $158,000.
“Many things they oblige are good things. There aren’t too many hoops,” Kennedy said. “But the higher prices are a bigger problem. It requires us to pay premiums that increase year after year, even if you meet all those requirements.”
Ultimately, with all the cyber insurance concerns, there may be a silver lining to local governments, said Reynolds of the Association of County.
“They’re getting smarter at what to do,” she says. “With every challenge there is an opportunity. And in this case, it is an opportunity for them to improve their cybersecurity.”