Lincoln College was 157 years old when it was permanently shuttered in May of this year. Over a century-and-a-half, the Illinois school had weathered world wars and the Great Depression, but it was a cyber attack that ultimately shut it down. Though the college paid $100,000 in ransom to the hackers in order to recover data, they weren’t able to come up with the additional $50 million required to continue their operations. The combined financial impacts of COVID-19 and the ransom attack closed its doors for good.
In 2018, the city of Atlanta was also a victim of a ransomware attack that targeted city computer systems and caused a disruption in municipal operations. The city paid an undisclosed amount to the hackers before pouring an additional $2.7 million into recovery efforts to improve systems after the attack.
For Barret McGinnis, these two examples perfectly illustrate the risks that municipalities and school districts face, and the types of claims he sees as Underwriting Manager – Cyber & Tech at Tokio Marine HCC – Cyber & Professional Lines Group (CPLG), a member of the Tokio Marine HCC group of companies based in Houston, Texas.
“Public entities store a significant amount of valuable data on students, residents or employees such as addresses, Social Security numbers, and compensation information,” says McGinnis. “We see them targeted time and time again because that kind of data gives attack groups quite a bit of motive – and often schools and municipalities are susceptible because of the lack of controls they have in place, making them a bigger target than some of the other industry classes.”
Paying the price
During a ransomware attack or any other network cyber attack, operations can be severely crippled. Schools are unable to take attendance, upload grades, access or update their website, or easily communicate with students and parents. Municipalities are unable to operate their court systems which stalls tax payments or other critical municipal operations and, on the extreme end, these attacks could target 911 or 311 systems potentially putting lives at risk. To continue core business operations, municipal offices are often forced to revert to pen-and-paper techniques instead of the streamlined software they’re used to, which causes severe delays in their day-to-day business.
Public entities are managing strict budgets, so a cyber attack can be devastating, as it was for the city of Atlanta. Though many of these public entities are federally funded and have called on the Federal Communications Commission to provide additional funding to help offset cybersecurity costs when an incident occurs. Due to the current inflationary environment, school districts and municipalities are reprioritizing their budgets and making cuts wherever they can. In some cases, they are trimming the cybersecurity budget. McGinnis cautions against this, “the cost of a cyber insurance policy is minimal compared to the short-term and long-term costs at stake if a cyber attack happens.
“We continue to see ransom payments far exceed the cost to improve security systems or purchase cyber insurance, so my message is to invest now in advance of an attack,” he says, pointing again to the plights of Lincoln College and the city of Atlanta.
“Getting ahead of an incident by implementing the right controls, improving security systems, and purchasing cyber coverage is the best practice.”
The best defense is a good offense
There are several ways that public entities can take to prepare for and mitigate the risk of a cyber incident. One is to maintain offline backups of data. Specifically, immutable backups are the most desired form. This ensures that there is an unencrypted version of the data that can be recovered. Additionally, employees are often vulnerable to a variety of cyber attacks. Staff who have never been trained on cybersecurity threats, given any guidance on what to look out for, or participated in simulated trainings are often unknowingly leaving doors open to intruders. That said, with the proper training and a robust security system in place “the likelihood of a cyber attack drops pretty dramatically,” McGinnis says.
It’s also important to implement a disaster recovery plan, as it provides organizations with a viable alternative to paying a ransom and gives them a clear strategy in a moment of crisis. Lastly, it’s key to ensure that remote access to their network, for regular employees and for administrative or privileged users, is secured with multi-factor authentication. They can also implement an endpoint detection and response tool (EDR) which actively monitors system endpoints in an effort to detect, respond to, and mitigate the severity of a potential breach.
One of the ways CPLG has been responsive to the changing public entity risk landscape is the implementation of continuous non-intrusive network scans to identify and notify organizations of potential exposures – this is a key supplement to strong internal security controls and training. Potential insureds who have not taken steps to properly secure their systems will often not qualify for full ransomware coverage, given their high susceptibility to future attacks. For these insureds, there may be a sublimit for ransomware coverage. In this way, CPLG can still provide valuable coverage to clients while they are working to improve their security posture.
Control requirements, along with higher retentions, are largely commonplace in today’s current cyber marketplace for this specific industry class, McGinnis notes. The difference can be found in the type of relationship CPLG cultivates with its insured.
“We partner with our clients to provide access to critical risk management resources, security vendors who help improve IT security and expertise to stay on top of the looming cyber threats that are always out there.”
Barret McGinnis joined Tokio Marine HCC – Cyber & Professional Lines Group (CPLG) in 2016. As an Underwriting Manager, he leads the West Coast regional Cyber and Tech E&O underwriting team. Barret is responsible for overall team development and supporting CPLG’s underwriting efforts, offering a variety of insurance solutions that incorporate broad first- and third-party coverage for cyber, multimedia, and technology errors and omissions exposures.