Cities and towns are in the crosshairs of cyber-criminals as they grapple with manmade and natural hazards
By Joseph S. Harrington, CPCU
Whenever private businesses face difficult risk and insurance conditions, you can usually assume that public entities face the same challenges, but to a greater degree.
Public entities operate under the expectation that they will not only protect their own property, but that they will respond to protect people and other property within their jurisdiction. This goes not only for police, fire, and public health departments, but for schools, senior centers, and recreational and other facilities expected to continue serving their patrons and provide emergency shelter.
Regarding their own property, many communities are burdened with older buildings and infrastructure vulnerable to severe damage in a growing number of weather disasters. This places immense strain on already stressed municipal budgets.
In terms of liability exposure, municipalities face the “social inflation” that is driving up the cost of liability judgments. At the same time, local governments find themselves increasingly exposed to claims of police misconduct and sexual abuse, the latter exposure expanded by a movement to extend or eliminate statutes of limitations for lodging abuse claims.
At the same time, municipalities are witnessing the slow erosion of long-standing legal doctrines of “sovereign immunity” or “qualified immunity,” which historically provided some protection from civil liability for local governments and those acting on their behalf.
As always, public bodies have less flexibility than private entities to respond to changes in risk, because public bodies operate in the public eye under legal constraints for budgeting and spending and have less ability than their private sector counterparts to settle claims confidentially.
As 2022 opens, this already challenging situation encounters a hardening market for most lines of property/casualty insurance in most regions of the country.
Competition among commercial insurance providers and public risk pools provides municipalities with a buffer against hardening market conditions, says Sue Coates, president of Trident Public Risk Solutions, a member company of Paragon Insurance Holdings.
“Public risk pools and private insurers represent different value pro-positions for municipalities,” she says. “Pools leverage collective buying, shared limits, and localized expertise to manage risk transfer costs on a shared basis.
“Private insurers, on the other hand, provide dedicated and individualized insurance solutions tied to the risk management needs of each municipality,” she adds. “While these are very different risk transfer vehicles, both play important roles.”
“Property, law enforcement liability, and excess liability are probably the biggest challenges right now [for municipalities].”
Trident Public Risk Solutions
Even with that, Coates reports “some hardening of rates and terms” in different degrees in different lines and areas of the country. “Property, law enforcement liability, and excess liability are probably the biggest challenges right now,” she says.
As extreme weather events become “the norm,” as Coates terms it, she finds that property insurance challenges no longer are limited to coastal communities.
“Municipalities see the impact of severe weather in increased pricing, higher deductibles, and reduced limits for certain perils,” she says. “In some regions, it impacts the availability of coverage entirely.”
Even when coverage is available, “municipalities find it very difficult to manage big swings in price and changes in terms,” she says. “Sudden price hikes or cutbacks in coverage have a big impact on municipal buyers with fixed budgets.”
Producers and cyber
Coates believes it falls principally to agents and brokers to balance carriers’ needs for rate adequacy and loss ratio stability against the needs of municipal buyers who value predictability in their budgeting for risk management.
“If this balance isn’t managed properly, the consequence is often a dramatic correction,” she says. “The need for best practices in risk management, deep expertise at the producer level, and stability at the carrier level is more important than ever.”
The challenge of serving the risk needs of municipalities has become all the greater as public entities have become prime targets of cyber-criminals.
“Because [nearly half of ransomware attacks throughout the world in 2020 were directed at municipalities], some insurers no longer offer cyber coverage for public entities.”
Manager, Professional Liability
Burns & Wilcox
Nearly half of ransomware attacks throughout the world in 2020 were directed at municipalities, notes Derek Kilmer, manager of professional liability for Burns & Wilcox. Other public bodies have also been targeted, he says, including at least four public water treatment systems attacked in early 2021.
“Because of these threats, some insurers no longer offer cyber coverage for public entities,” he says. “The remaining carriers are reducing capacity, increasing prices, lowering limits, increasing deductibles, and sub-limiting coverage for dependent business interruption and ransomware.”
To manage the risk and costs of coverage, Kilmer urges agents and brokers to consult with their clients and carriers well before renewal so their municipal accounts have ample opportunity to implement measures to bolster their online security.
Measures Kilmer recommends to reduce the chance of cyber loss and the cost of cyber insurance are, among others:
- Multi-factor authentication (user name, password, texted code number, etc.) for access to municipality networks and email systems
- Limitations on access to personal information of individuals
- Encryption and encrypted backups of networks, systems, and mobile devices
- Authentication and authorization protocols for electronic payments
Kilmer also urges that data, networks, and systems be backed up regularly according to the “3-2-1 rule,” which calls for three different backups, on two different kinds of media, with at least one that is offline, and each secured by multi-factor authentication.
Few cyber threats are as ominous as the potential threat to public water supplies.
The threat became a reality in February 2021 when hackers attempted to introduce dangerous levels of sodium hydroxide (lye) into the municipal water system of Oldsmar, Florida, a community on the northern end of Tampa Bay. The breach was quickly detected and corrected, and backup systems may have prevented great harm even if early detection hadn’t happened.
Nonetheless, the incident spotlighted the vulnerabilities of the most vital of all municipal services, and governments at all levels are addressing the risk.
In late January 2022, the Biden Administration announced a “Water and Wastewater Sector Action Plan” as part of a broader initiative to bolster the cybersecurity of industrial control systems.
According to a release from the U.S. Environmental Protection Agency announcing the plan, its basic components include:
- Establishing a task force of water sector leaders
- Implementing pilot projects to promote incident monitoring
- Improving information sharing and data analysis
- Providing technical support to water systems.
For more information:
Burns & Wilcox
Trident Public Risk Solutions
Joseph S. Harrington, CPCU, is an independent business writer specializing in property and casualty insurance coverages and operations. For 21 years, Joe was the communications director for the American Association of Insurance Services (AAIS), a P-C advisory organization. Prior to that, Joe worked in journalism and as a reporter and editor in financial services.