Cyber is a crime without boundaries.  

Back when many businesses first opened their doors, a thief would have to be physically located on a company’s premises to break into their office.  While the internet provides many undeniable advantages to the business world, the internet also has no boarder.  The World Wide Web makes it possible for thieves to penetrate businesses from anywhere in the world.  As global of a topic as Cyber Security and Data Breach is, it is also taking place in our own backyard, as La Porte County in Indiana recently fell victim to a ransomware attack that paralyzed their systems and cost the county over $100,000.

What industries are these hackers targeting?  What industries are they not targeting would seem to be a more valid question.  The target is Personal Identifiable Information. Some data is more attractive than others, as a result, the Healthcare Industry has been hit especially hard.  The Financial Services sector has been impacted, Educational Institutions are not exempt, and the latest target rumored to be on the rise, Local Government and Municipalities. 

Phishing vs. Fishing

One word we hear commonly with regards to cyber activity is “Phishing”.  Phishing is defined as the fraudulent practice of sending emails alleging to be from reputable individuals or companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers.  Now, shift focus and think of cybercrime in the context of “fishing”.  Trying to maximize your time on the water, the more lines you throw, the more likely you are for a bite.  The wider the mouth of the net, the more likely you are to land the desired “big fish”. 

A common client response with regards to data breach and cyber coverage is “We are too small; we don’t store enough information; we are not a target”.  Size is not a fair assumption of risk anymore.  When hackers sit back (I would imagine they are sitting, maybe they are invested in ergonomics for optimal posture and have adjustable standing desks?!  The world may never know!)  and cast their figurative net of prospects, statistical odds will demonstrate the more businesses they target, the more likely they are to yield their desired results. 

As a result, municipalities of all sizes are being targeted as they are identified as “lower lying fruit”.  Municipalities store some of the same information as State or Federal Government offices, however, it is assumed that they do not have as robust of security measures in place as those institutes.  As increasingly important as it is to invest in updated systems and IT services, it is also important for municipalities to make sure they have Cyber Liability policies in force.  Not only are the frequency of cyber attacks increasing, the severity and complexity of these attacks are on the rise as well.

You’ve Been Breached, Now What?

For a municipality to dedicate a portion of their operating budget and invest in a Cyber Liability policy and receive the paper policy or the policy electronically in exchange, that does not elicit the same purchase satisfaction as investing in something tangible.  What that purchase is, however, is a promise to pay in the future.  A price to pay for peace of mind as it can happen anywhere and should your municipality fall victim to a breach, there is a calmness that comes in sheer chaos knowing that you have a plan.

Cyber Liability policies provide municipalities with an action plan.  Step 1.  Call the insurance carrier. 

While not all Cyber Liability policies are created equal, there are certain coverage considerations that should be reviewed when comparing these options.   The following coverages are explained in greater detail to provide an overview of what should be looked-for when considering a Cyber Liability policy.

• Notification expenses can become costly very quickly and there are different requirements regarding the time allotted for notification and the number of attempts that need to be made at the state level. A Cyber Liability policy would be responsible for maintaining compliance with those varying regulations. Postage and credit monitoring expenses incurred would also be included with this as it relates to a privacy breach.
• Should your municipality fall victim to a breach, that elicits a level of uneasiness and can cause reputational damage. With the proper Cyber Liability policy in force, there can be coverage for the reasonable legal, public relations, advertising and IT forensics expenses experienced as the result of a privacy breach.
• Network Asset Protection would provide coverage to recover or replace data that is lost, damaged, compromised, erased or otherwise corrupted due to accidental damage or destruction, administrative or operational mistakes in the handling of electronic data, or computer attack. Coverage also extends to loss of business income and interruption expenses incurred as a result of total or partial interruption of the computer systems as a direct result of any of the above events.
• Cyber Extortion expenses and extortion monies would be covered contingent on the circumstances if the insurance provider would be able to utilize IT professionals to successfully regain control of the system or if they elect to pay the demand. Paying the demand can seem to be the only way out at times, however, that action continues to fuel cybercrime, so it is important to exhaust all available alternatives before making that decision.
• All the above are examples of First Party cyber coverages, policies may also include coverage for Third Party claims such as allegations of failure to safeguard online or offline information or the failure to prevent virus attack. Policies also including Third Party coverages are very important to protect against these resulting claims that could be brought forth following a breach.

The Best Defense Is A Good Offense

A strategic principle of both war and sports, the same value in offense can be applied to cybercrime.  Proactively preparing with a Cyber Liability policy and the investment in updated systems and IT services instead of having a passive attitude that “it won’t happen here” is a step in the right direction to obtain an advantage over cyber criminals.  As the internet is here to stay, these cyber threats unfortunately are as well; at WalkerHughes we are here to partner with you as you create your municipality’s action plan.