Dive Brief:
- State and local governments face increased challenges amid a rising threat landscape due to malicious ransomware attacks and sophisticated nation-state threat actors, according to a report released Monday from Moody’s Investors Service.
- More municipalities are buying cyber insurance to mitigate the financial risk of a major attack, however premiums for state and local governments have soared in recent years and insurers have imposed strict cyber hygiene requirements in order to get coverage.
- Municipal governments will benefit from federal funding through the State and Local Cybersecurity Grant Program, which will provide about $1 billion over four years to help these entities harden their networks.
Dive Insight:
Moody’s cited CompTIA data showing the percentage of local governments carrying cyber insurance has nearly doubled in five years to 92%.
While these policies can help mitigate the cost of malicious attacks, they do not always provide enough coverage to offset the full cost. Moody’s noted the 2019 cyberattack against Baltimore cost more than $18 million and the 2018 attack in Atlanta cost the city more than $17 million.
Premiums for smaller governments skyrocketed in recent years amid a surge in attacks and increased loss rates. For example, Horry County, S.C., saw rates surge by 300% to $210,000 in 2022, compared with $70,000 in 2021, according to the report.
Insurers are also cracking down on local governments to make sure they adhere to best practices in cyber risk management. Municipal governments are required to adopt multifactor authentication and add additional safeguards, including firewall protection, employee training and data backups to attain coverage.
“While robust cybersecurity practices can help reduce exposure, initiatives that are costly and require a shift in resources away from core services are a credit challenge,” Gregory Sobel, assistant VP at Moody’s, wrote in the report.
The report comes at a time when state and local governments have dealt with high profile ransomware attacks and data breaches that impacted millions of residents.
In early May, the City of Dallas was hit by an attack linked to the Royal ransomware group. The attack knocked out local courts, the website for the Dallas Police Department and the hackers threatened to release personal data on local employees.
More recently, the MOVEit vulnerability led to major data breaches at the Louisiana Office of Motor Vehicles and the Oregon Department of Transportation. Millions of drivers had their personal data stolen as a result.