Local governments are confronting the fierce threat of ransomware and tough decisions about whether to pay. As they try to navigate the challenges, many are finding the growing cost and complexity of qualifying for and retaining cyber insurance is placing comprehensive coverage out of reach.
Roughly half of state and local governments worldwide paid ransomware extortions last year, according to cybersecurity firm Sophos’ State of Ransomware 2022 report. The study polled IT professionals from various sectors in January and February 2022, drawing 500 respondents from the U.S. and 5,100 from other nations.
While that report looked globally, Boston CISO and co-chair of the Coalition of City CISOs Greg McCarthy, told GovTech the rate of payment matches up with his observations of local government.
This is a relatively high rate of payment, globally — topped only by the K-12 education sector. Sophos found 49 percent of state and local agencies paying in 2021, and 53 percent of K-12 entities doing the same. On the other end of the spectrum were financial services organizations, with only 32 percent paying.
RANSOMWARE’S GOVERNMENT RATE?
Profit-seeking cyber criminals are often willing to negotiate down to what they think victims can afford.
State and local governments worldwide ultimately ended up paying an average of $214,000 per ransom in 2021, Sophos found — the second-lowest rate across sectors. However, McCarthy said that, anecdotally, he’d heard the amount in the ballpark of $500,000.
Negotiating ransom prices can buy governments time during which to check the status of their backups and determine whether they could recover without paying, said Rita Reynolds, CIO of the National Association of Counties (NACo), which has a network of about 820 county IT leaders from 520 counties.
A SLOW PATH TO RECOVERY
Paying ransom doesn’t guarantee a quick path back to normal. Organizations across sectors took a month “to recover from the most significant attack,” Sophos said; it did not differentiate between those that paid or withheld extortion. And Reynolds told GovTech U.S. counties often see recovery times stretch longer.
Part of that is because victimized organizations need to carefully check that they’ve purged all traces of viruses from their systems before bringing services back online, Reynolds said. Impacted agencies that pay ransom also have no guarantee that the data will arrive uncorrupted, so need to spend time ensuring attackers didn’t hide backdoors that would let them re-launch an attack, McCarthy said.
Recovery usually takes place in stages, with an impacted agency first restoring its most critical assets — a task it might manage within a month — while taking longer to fully return to normal, McCarthy said.
THE GREAT PAYMENT DEBATE
To pay or not to pay is a complex calculation.
In some cases, it’s a legal question: North Carolina recently banned government entities from paying, although Sophos notes prohibitions don’t always work. Italy outlawed the practice, yet 43 percent of surveyed Italian ransomware victims reported paying.
For agencies given the choice, however, those facing the outage of life-essential services or inability to recover systems on their own might feel forced to give in to extortion. And McCarthy said that even governments capable of restoring data from backups may pay to stop hackers from leaking resident’s sensitive information.
But agencies also must consider hackers’ identities and motivations to better guess whether the criminals actually will come through.
“Knowing who the threat actor is is a really important piece to the puzzle,” McCarthy said.
Alan Shark is the executive director of CompTIA’s Public Technology Institute (PTI), a membership group providing research, professional development and consulting to local government. Shark noted that ransomware hackers acting as recently as a year and a half ago often upheld promises to return data in exchange for money, but today’s newer crop of fast-moving cyber extortionists appear less vigilant about remembering which victims paid or didn’t, making them more prone to renege on the deal.
Payment also doesn’t guarantee hackers leave systems or avoid striking again, Shark reminded. It also doesn’t always mean full recovery: Sophos found state and local governments worldwide that paid ransom and received back 59 percent of their data on average, just shy of the 60.6 percent average recoupment across sectors.
In many cases, it’s not just government but their insurers who may be making these assessments.
Insurers often conduct ransomware negotiations for clients and may deem it cheaper to pay than resist. Shark said this was the case in 2019, when Riviera Beach, Fla., paid a $600,000 ransom.
Globally, state and local governments were slightly more likely than the average organization to have insurance fund ransom payments during their “most significant” cyber incidents, with 49 percent reporting this compared to 40 percent across sectors, Sophos found. Meanwhile, agencies were significantly less likely to have insurers pay the costs of getting back up and running, with 44 percent getting such payouts, compared to 77 percent of all organizations.
Securing cyber insurance coverage is becoming increasingly difficult for U.S. cities and counties as insurers raise prices and insist clients meet various best practices to get or renew coverage.
Insurers wanting to assess the risks of taking on prospective municipal clients may ask them to complete 11-page applications detailing their cybersecurity trainings and defenses, Shark said. The cybersecurity measures insurers want to see are reasonable, in Reynolds and McCarthy’s opinions. But they can still be difficult for cities to implement or afford.
“The questionnaires are very detailed. And the very first question almost always is, do you have multifactor authentication? And I’m hearing repeatedly that if the county answers ‘no,’ you can pretty much forget about having cyber insurance,” Reynolds said. “If I have a conversation with nine out of 10 counties, they’re going to tell me we are having difficulty either getting cyber insurance or renewing it.”
Local governments are often priced out of meeting best practices.
“The number of controls or the number of security measures that need to be in place in order to get a reasonable rate is nearly impossible for a small municipality to implement,” McCarthy said. ”It’s like ‘OK, we have to implement 10 new pieces of technology or 10 new software.’”
Some relief may be on the horizon, however, as the Infrastructure Investment and Jobs Act will provide $1 billion of cybersecurity funding to state and local governments over the next four years.
But even the process of completing the applications can be more than small agencies can handle if they lack significant IT expertise.
“Those 11 pages are so complicated, that many smaller localities have no idea how to fill it out,” Shark said. “And if you fill it out incorrectly … there’s no obligation for the insurance company to pay out because you basically falsified the record.”
Despite these concerns, 90 percent of “over 75” local government IT executives reported having cyber insurance in an August-September 2021 CompTIA/PTI survey. Although that finding may not capture whether they had enough insurance; Shark recalled conducting a tabletop exercise with a Californian city that led officials to realize their $2 million plan should’ve been for $4 million.
GETTING CREATIVE: SELF-INSURING AND CYBER WARRANTIES
Some cities like Boston are opting to self-insure — a practice by which organizations budget funds to pay for emergency costs, often done in the hopes of saving what would be spent on premiums.
Some municipalities may self-insure up to a certain expense amount, then purchase re-insurance to cover costs beyond that, Shark said. Re-insurance tends to be cheaper because clients assume more of the risks.
And McCarthy said a new market is emerging in which managed service providers (MSPs) offer a level of ransomware and data breach warranties to customers, which vary over what and how much they cover.
Subscribers to CrowdStrike’s endpoint detection platform, for example, can get an amount of “cyber extortion payments” and certain “[data] breach response expenses” covered should a significant security incident impact the operating system of an endpoint protected by the product. That includes up to $100,000 in ransom.
Municipalities struggling to afford enough cyber insurance may turn to such warranties as an alternative or supplement.
When Leonardtown, Md., was impacted by the ransomware attack against Kaseya, the city was able to turn to its MSP first for recovery assistance, Shark said. The MSP proved able to help them recover, sparing the city from engaging their cyber insurers and risking seeing premiums rise.
Of course, there’s a limit to what MSPs — or insurers — can do.
MSPs may promise funding up to a certain amount of expenses, but they won’t write a blank check for ransoms, Shark said. And they can pledge to come to customers’ aid within a certain amount of time but cannot guarantee data recovery or other outcomes.
Insurance, too, while helpful, isn’t the whole picture.
“The other thing that counties understand better now [is that] cyber insurance isn’t there to ‘bail you out,’ quote-unquote. It’s insurance you still need, but it’s vital that a county be doing good basic cyber hygiene,” Reynolds said.
NACo encourages counties to participate in simulated cyber attack trainings on a quarterly basis, ensure their vendor contracts require prompt incident notification and adopt tools like those that can automatically check their websites for vulnerabilities, for example.
Strong recovery strategies are also essential, such as creating air-gapped backups to reduce chances of compromise. And creating backups is only part of the battle; governments also need to regularly practice restoring from them.