Ransomware can hold cities hostage. Will cyber insurance help?
-
Dwight Weingarten Staff writer
As the director of the Baltimore mayor鈥檚 office of emergency management, David McMillan prepares for the worst. He plans for and coordinates the response to power outages, storms, and other hazardous situations.听
In early May, Mr. McMillan faced a new emergency 鈥 a ransomware attack on the city鈥檚 computers. The malicious software shut off email communications, stopped online bill payments, and locked the city鈥檚 files. City employees wandered City Hall, uncertain what to do sans computers.
鈥淭he most important role for emergency management during a cyber incident is to ensure continuity of operations,鈥 says Mr. McMillan, in an email. But a growing number of cities, including Baltimore, are beginning to sketch boundaries around what lengths they will go to to return to business as usual.
Why We Wrote This
Preparing for disaster is a part of city management. But when it comes to preparing for ransomware cyberattacks, officials must weigh whether preparation emboldens or deters hackers.
This is one type of disaster where money can, in a sense, resolve the problem. As the name suggests, ransomware attackers typically offer to restore full server access 鈥 for a price. Cyber insurance can, in theory, help municipalities that have fallen victim to such attacks get back to business quickly. But for many city officials, the idea of using insurance to negotiate with hackers presents an ethical challenge because it rewards cybertheft.
Hackers are undoubtedly aware that cities have access to such insurance policies, says Fleming Shi, chief technology officer at Barracuda Networks, a California-based cybersecurity company. They may feel emboldened to ask for larger sums. 鈥淭hey鈥檙e going to see that as a nice fat check,鈥 he says.
More than 70 state and local governments have been subjected to ransomware attacks in 2019, according to by Barracuda. In December, city governments in , and both found their computer systems held hostage. Without insurance, municipalities face the risk of bearing a costly attack all alone. But with insurance, municipalities become capable of potentially a bigger payout for the assailants.听听
In June, such insurance checks helped two cities in Florida regain access to their systems at a fraction of the ransom request. When Lake City was charged a ransom of about $460,000, the city itself was only on the hook for a $10,000 deductible; cyber insurance picked up the difference. Riviera Beach used insurance to pay off a roughly $600,000 ransom, after paying a $25,000 deductible.
In both cases, ransomers walked away with a windfall. But听the motive behind targeting municipalities with ransomware is not always solely financial.
Voter information or other private, personal information held by municipalities can be stolen in听a ransomware attack, Mr. Shi says. In addition to locking the system, attackers can gain access to a system鈥檚 files 鈥 a problem that paying a ransom does not solve.
When Baltimore Mayor Bernard 鈥淛ack鈥 Young received a ransom demand of about $76,000 in Bitcoin, he refused to pay. That decision meant that the city instead absorbed more than in systems repair and data recovery.
Over the summer, Mr. Young helped rally his mayoral colleagues behind a pledge to stand 鈥渦nited against paying ransoms in the event of an IT security breach.鈥 The resolution, which he co-sponsored with Las Vegas Mayor Carolyn Goodman, was unanimously adopted by more than 1,400 mayors represented by the U.S. Conference of Mayors.
The resolution to not pay ransoms did not prevent Baltimore from investigating and eventually purchasing cyber insurance. In October, Baltimore鈥檚 Board of Estimates voted unanimously听to purchase , totaling $800,000 for one year of coverage.
The policies鈥 total coverage of $20 million could be used to offset costs incurred by business interruption, and to pay for investigation and response teams.
The trend over the past five years has been toward having a cyber insurance policy as a best practice, says Josh Zelonis, a principal analyst at the Massachusetts-based market research company Forrester. But Mr. Zelonis called paying a ransom with insurance 鈥渁 very touchy area.鈥澨
John Fokker, head of cyber investigations for听McAfee Advanced Threat Research, also sees overall benefits in cyber insurance.
鈥淣o matter how secure your organization is you will always be left with that last piece of risk that you cannot cover with regular IT systems,鈥 says Mr. Fokker, a co-founder of the international . 鈥淭he insurance can cover that part and it will cover any additional costs, which you have to make after an attack takes place.鈥
Mr. Fokker, who formerly worked in law enforcement and helped author the section on ransomware in the , put it clearly:听鈥淐yber insurance doesn鈥檛 protect you against ransomware.鈥澨
As Baltimore鈥檚 new cybersecurity committee, created in the wake of the May attack, held its first hearing in November, emergency management director Mr. McMillan fielded council members鈥 questions about what is being done to prepare and plan for future attacks.
鈥淟ots of other major American cities were reaching out to me,鈥 Mr. McMillan told the committee members. The other cities wanted to know how they can improve and prepare for a cyber incident.
Mr. Shi urges municipal leaders听and residents to think about cybersecurity as a regular component of emergency management.
鈥淛ust like we test the city鈥檚 capabilities to respond to fire,鈥 says Mr. Shi, 鈥渨e have to have our citizens stand up and say, 鈥楬ow is my data protected?鈥欌
Editor's note: This article has been updated to correct John Fokker's affiliation with McAfee. He is head of cyber investigations for听McAfee Advanced Threat Research.
