Cities in Florida have more to fear than hurricanes. In the last month, Riviera Beach and Lake City, both located in the state, had to deal with the consequences of cyberattacks. The former agreed during a city council meeting to pay hackers $600,000 in bitcoin to restore its computer networks, which were crippled by an email virus, while the latter paid close to half a million dollars to cyber criminals after a ransomware hit.
“Over the last several years, we’ve seen many cities facing [this threat],” said Thom Rickert, emerging risks specialist at Argo Group US. “But, the requests have been relatively small, under $50,000, to release the data. Now, we’ve been seeing much larger demands [and] the $600,000 is significantly over the average for ransomware demands on local governments.”
Cities might feel beholden to hackers and determined to pay them off quickly because critical infrastructure might be compromised in such an attack. Sometimes it’s cheaper to pay $10,000 in ransom than $100,000 to replace servers and recovered data, according to Rickert. However, it’s hard to keep up when the ransomware landscape itself is changing.
Read more: The growth of ransomware extortion demands
“What we’re seeing more of is that hackers are looking to steal and then sell data, and it’s not that hit-and-run attack – they want to remain stealthy, they want to gather as much information as they can over as long a period as possible, and then we also have the hacktivists who are looking to disrupt services and attack a local government’s reputation, where they may have a social cause they’re trying to draw attention to,” he told Insurance Business.
These recent events as well as previous attacks on Atlanta, Baltimore, and many more municipalities and their various departments underscore the need for cities to have dedicated plans in place to address their cyber risk.
“[A plan] gives you the ability to identify the vulnerabilities and gaps you may have in your cybersecurity system, and that goes to people, software, the infrastructure, IoT devices – all the technology that cities and towns and government entities are using today that may be exposed to attack,” said Rickert, adding that planning ahead also allows cities to assess their cybersecurity maturity and determine whether they have the right protection in place to guard against denial of service attacks.
Beyond that, a cybersecurity plan can serve as a training and awareness tool. As teams provide input on the cybersecurity of their public entity, they in turn become more familiar with the terminology as well as their own exposures.
“Many people think their website is the place where they’re exposed or this cloud application they use is what’s exposed. Then they start to identify other things – a hacker can hack in through a central air conditioning system that’s being monitored on the network. They can find ways into the system that are connected to the network that people don’t think about until they understand how networks connect,” explained the Argo expert.
Just like cities have plans in place should a tropical storm sweep through, they should also have clear guidelines for how to mitigate against and deal with cyber threats.
“That kind of plan, as in any other emergency management plan, is the key to resilience, and that’s the ability to adapt to changing conditions, and prepare and withstand and then rapidly recover from any adverse event – in this case, a cyberattack,” said Rickert.
As for the broader cyber risk landscape, insurance professionals and their clients should expect to see more sophisticated ransomware attacks in the future.
“It used to be not uncommon that the ransomware that was being utilized in the older generations wasn’t frankly all that good. Somebody might get hit with that malicious software, and they might get asked to pay a ransom in some sort of cryptocurrency, usually bitcoin, of a couple hundred dollars,” said Tim Francis, vice president of cyber risk management at Travelers Insurance. “If the ransom was any more significant than that, it was easy enough to reboot the system and back-up the data, [so] it fell into that category of nuisance.”
Today, ransomware is far more complex and pervasive, and Travelers has seen ransom demands spike because not only is the data encrypted, but the back-ups of the data are encrypted throughout the entire computer system.
“Whether you’re a municipality or anyone else, you’re effectively rendered back to the dark ages in terms of how your business would operate,” said Francis. “Because of that, bad actors are able to demand a higher ransom, and that ransom is more likely to get paid because it may be the only viable means to get the systems back up and running.”
As a result, added the Travelers leader, more municipalities are purchasing cyber insurance because today’s policies deal with those issues, in addition to traditional data breach cover.