It’s been almost two weeks since the city of Atlanta was the target of a ransomware attack that left scores of files encrypted by the SamSam virus and thousands of residents unable to access city services at municipal offices, including courts and the water department.
Private companies from Boeing to, most recently, Under Armour and its MyFitnessPal app, were just a few of the victims of cyberattacks in the last month, but hacking an entire city’s public communication systems is a much rarer occurrence.
“About 15% of cyberattacks are directed against the public sector,” said Thom Rickert, vice president and emerging risks specialist of Trident Public Risk Solutions, adding that criminals want to go where they can have the most impact and financial recompense for the hack.
That’s why targeting Expedia-owned Orbitz makes more sense for a hacker than infiltrating a public entity.
“There are more commercial entities than there are public entities,” said Rickert. “There are finite numbers of public entities and there are not a lot of new ones being created. There are more commercial entities subject to attack and they’re growing every day. There are new florists, there are new financial institutions every single day.”
Reducing the cyber exposure of a city can be a difficult task. For one, public entities have limited budgets so they may not be able to assemble an adequate IT security team, and sometimes use outdated and decentralized platforms. Police, finance, and parks and recreation departments might all have their own websites and don’t necessarily coordinate to ensure they meet the same cyber security standards.
Moreover, the nature of a city council’s website, for example, means it has to be accessible so that people can find documents on proposed regulations or upcoming meetings.
“Public entities are soft targets,” explained Rickert. “They are meant to be open systems – you want your citizens coming to your website, you want them using your utility payment system. Schools wants parents to be able to access things, they want people to be able to access board minutes. There are sunshine laws that require certain information to be available, and that information is out there.”
Insuring a public entity, whether it’s an entire city or just one school, requires several types of coverage. Data compromise covers a data breach of personal information, of which governments hold massive amounts, and the public relations resources needed in the aftermath. First and third party liability coverage is useful if a public entity is trying to restore their own data and put their systems back online, and if a hacker used a public site to launch a denial of service attack on another company, causing losses.
“Because the market is still evolving – the terms and conditions, the sub-limits, the limits of insurance – it’s pretty varied,” said Rickert. “So, a public entity is really going to have to examine their policies, talk to their insurance professionals and understand what the coverage is.”