Can Taxpayers Spare $338,700? That’s the Price of a Public Sector Ransomware Attack
A wave of ransomware attacks over the last year has been growing in both sophistication and cost as it hobbles local governments across the U.S.
Security experts are racing to catch up through stronger cyber safeguards and better training of government workers, who often let hackers in unwittingly.
But given the rewards of a successful attack, hackers have a powerful incentive to keep going, posing a sustained challenge to the insurance industry, said Kelly Geary, national cyber practice leader for EPIC Brokers, based in New York City.
“This is the kind of risk the insurance market, which has been in existence for hundreds and hundreds of years, is not accustomed to dealing with,” she said.
Other sectors, like professional services, are more likely to get hit, according to Coveware, a company that provides services to ransomware victims. But governments typically draw bigger headlines, from high-profile attacks in major cities like Atlanta and Baltimore, to the potentially coordinated attack in August against at least 22 small cities and towns in Texas.
Governments also net bigger ransoms, according to Coveware. While the public sector accounted for only 3.4% of ransomware attacks in the second quarter of 2019, it paid an average ransom of $338,700, Coveware reported.
The average ransom in the second quarter of 2019 was $36,295, up from $12,672 in the first quarter. Downtime costs between five to 10 times the cost of the ransom.
In response, local governments have been scrambling to buy cyber insurance even as the market shows signs of hardening. Premiums, for example, are rising, albeit not as quickly as claims, brokers and underwriters said.
Insurers likely have banked premiums from earlier years, allowing them to keep price increases in check today, said John Chino, an area senior vice president with Gallagher.
“We’ll see what happens when the bank is empty. Things might change more dramatically,” said Chino, who has public-sector clients in eight states.
“But right now, the bank allows them to be more stable.”
He was optimistic that the attacks would eventually be deterred: “The criminals stay one step ahead, kind of like a virus,” Chino said. “You can’t really develop the vaccine until you get it, and right now we have it. But we’re developing the vaccine, our public-agency clients are developing the vaccine, and we’ll get it under control.”
The History of Ransom
Ransomware is not new, with the earliest attacks recorded in the late 1980s and early 1990s. But several factors are aggravating the latest wave. At least 170 cities, counties and states have been attacked since 2013, with 22 attacks taking place in 2019, according to the U.S. Conference of Mayors, which compiled its numbers before the attacks in Texas.
The technology for launching a ransomware attack has become cheaper and easier to use. And because public entities usually have less to spend on cyber security, they are inviting targets.
Local governments also may have multiple access points and servers for their computer systems, making them difficult to protect.
Ransoms, meanwhile, offer a higher return for criminals than filching or reselling personal data, which drive attacks against retailers and other companies with vast stores of consumer data.
“That takes a long time to do, a long time to monetize,” said Scott Schleicher, underwriting manager for AXA XL’s cyber and technology underwriting unit.
Hackers are also becoming increasingly sophisticated. Towns and cities used to be able to avoid paying ransoms if they had a relatively secure backup. If their computers were locked down, they could restore operations from the backups and dodge the demands for ransom.
Lately, however, hackers have been disabling and locking down backups, leaving public entities vulnerable. Once inside, hackers also appear to be doing more reconnaissance to learn what they can demand.
And those demands are growing. More than a year ago hackers might ask for ransoms of a couple hundred or a few thousand dollars. Ransoms today are reaching into the high six-figures.
The upper limit for ransom amounts appears to be whatever local governments can bear without triggering greater scrutiny from federal law enforcement, observers noted.
“We do have the ability at the federal level to determine where these things originate,” Schleicher said. “It’s getting them involved that’s going to be the hard part.”
In the meantime, local officials could consider sharing their stories with their peers, whose systems may have similar weak points, such as outdated software.
Fearful of being next, towns and cities also have been reaching out to purchase cyber coverage. But in addition to potentially higher premiums, they may also face tougher scrutiny.
Insurers, for example, used to be more willing to write policies for entities that already had been breached, said Steve Robinson, national cyber practice leader for Risk Placement Services, a wholesale subsidiary of Gallagher. Now, carriers are asking more questions of those clients.
Minimizing the Damage
Although attacks are on the rise, Robinson said, cities and towns can take basic steps to prevent and minimize damage. For example, they can make sure their backups are offsite in multiple locations. And they should frequently test backed-up data to ensure it is usable.
Encrypted USB drives and tapes may also make a return as a form of backup, Robinson added.
Of course, local officials may resist paying ransoms, for fear of rewarding criminals and encouraging future attacks. This summer, the U.S. Conference of Mayors adopted a resolution voicing its opposition to ransoms. But the decision ultimately hinges on a simple but painful cost-benefit analysis.
“As distasteful as it might be, it might make better financial sense to pay a ransom if that is going to bring your system back on-line sooner,” said Tim Francis, enterprise cyber lead at Travelers Insurance.
Private companies aren’t immune, experts added. But they tend to have stronger defenses. If they are breached, they are better able to shield attacks from public view.
“There are companies that definitely pay the ransom and try to cover it up,” said Brandon S. Keath, cyber security practice lead at Appalachia Technologies LLC. “We just don’t see it or know about it.” &