Imagine services for a city of nearly half a million people shuttered – nonemergency phone systems are inactive, weather monitoring and alarm systems don’t work on the brink of a severe winter storm, and data is being dumped onto the dark web affecting tens of thousands of residents.
If this scenario sounds like a nightmare, that’s because it is, but for the city of Oakland, California, it was their reality. The city declared a state of emergency on the fourth day of the cyberattack in February 2023, but it persisted. At the end of April, the city issued a press release that said “nearly all of our IT systems that were impacted as a result of this incident have been restored.”
Months later, the municipality is still dealing with the fallout from the attack, including with several legal claims and a class action lawsuit from the Oakland Police Officers’ Union, which sued the city for damages suffered because of the ransomware attack.
Cyberattacks on city governments are on the rise, with the number of incidents doubling between 2022 and 2023, according to Cyber Defense Magazine. But it gets worse. According to recent reports, “More than half of all attacks were aimed at municipal governments; they accounted for 55 percent of reported ransomware incidents in 2018. Since 2018, the number of ransomware attacks on companies worldwide has increased and reached a peak of 68.5 percent in 2021.”
These attacks can cost city governments and municipalities millions, with the average breach costing a state as much as $40 million and the median cost ranging from $60,000 to $1.87 million, StateTech Magazine states.
This incident is one in a string of city municipality cyber attacks that highlights the importance of cyber liability insurance. Law firms face similar threats because of the types of information they access. “Cybersecurity is a nemesis for law firms these days. We can’t seem to go a single day without hearing about some sort of security event such as a ransomware attack, data breach, newly discovered vulnerability, or some misuse of our information,” the American Bar Association (ABA) said in its 2022 Cybersecurity tech report summary.
The report notes that 27 percent of law firm respondents from a survey experienced a security breach, such as a lost or stolen computer or smartphone, hacker, break-in, or website exploit. (It’s important to note that not all security breaches lead to data breaches.)
If it’s not already, cybersecurity should be a high-level concern, particularly for municipalities, law firms, and businesses that collect and process sensitive consumer data. And while proactive planning to prevent cyberattacks is critical, so is being adequately prepared with the right type of cyber liability insurance, which covers losses that stem from an incident and a range of recovery expenses.
Law Firm, Municipality Cyber Attacks Range in Type
It’s no secret that we’re in an era where digital technology is integrated into every part of our lives with instant connectivity, immediate access to information, and constant changes in communication and commerce. Gone are the days where you can easily determine when a bad actor is trying to attack your systems. Cybersecurity schemes are becoming more sophisticated both in the type of attacks and how they’re executed, meaning the risk is greater than it’s ever been.
Cybercriminals can compromise municipalities, law firms, and company data in many ways. Here are some of the more common types of cyber attacks:
Funds Transferred Fraud (FTF): In this type of activity, hackers exploit vulnerabilities and divert funds to their account instead of the intended recipient. Also known as “wire transfer fraud,” attackers often gain access to a C-suite executive’s email account and direct an employee to transfer funds. They also send fake invoices and impersonate real clients or vendors using a variety of communication channels.
Social Engineering: In this manipulation tactic, hackers reach out to individuals by phone, email, or even direct contact and trick them into divulging confidential information or giving unauthorized access to restricted systems. This plays on trust and real interactions.
Ransomware: With ransomware, a cybercriminal encrypts critical data and demands payment for its release, just like with the Oakland, California example above. Software, or malware, is used to block access to files until the ransom is paid and information is often disseminated on the dark web if payments are not made or are not made quickly enough.
Distributed Denial of Service (DDoS): This type of attack floods a network with traffic, which causes temporary or permanent service disruptions.
Insider Threats: This type of attack is when an individual who has privileged access to systems lets an attacker gain access, either through malicious actions or negligence.
Critical Infrastructure Attack: Cyber criminals target specific city infrastructure, such as power grids, water or transportation systems to disrupt city services.
Consequences of Cyberattacks on Municipalities and Law Firms
In 2023, cyber attackers targeted dozens of major US city municipalities and exposed the personal information of millions of residents, costing millions of dollars in recovery costs. Here are a just a few of those impacted, as outlined by Cyber Defense Magazine:
- Atlanta, Georgia: A ransomware attack cost the city $17 million in recovery expenses.
- San Francisco, California: A vulnerability in the city payroll system caused a data breach, exposing the personal information of over 70,000 employees.
- Chicago, Illinois: A data breach caused by a vulnerability in the city water billing system exposed the personal information of over 50,000 residents.
- State of South Carolina: A vulnerability in the state unemployment insurance system caused a data breach that exposed the personal information of over 700,000 residents.
- San Jose, California: A Ransomware attack with an estimated $10 million in recovery costs was caused by a vulnerability in a city network.
Some notable examples from law firm data breaches include: Hackers stole driver names, information and social security numbers from Uber from one law firm and personal emails from 200 high-profile celebrities like Lady Gaga, Madonna, and Rod Steward from another.
How to Mitigate the Risk of a Cyberattack on Your Municipality or Law Firm
While you can’t always prevent an attack, you can proactively prepare to both reduce risks and impact if a breach occurs. It’s important to:
- Assess your exposure
- Determine insurable threats
- Develop a cyber policy that meets your needs
- Continuously assess risk and remediate exposure
- Respond to incidents quickly to reduce reputational and financial harm
Invest in ongoing cybersecurity training for employees to enhance awareness and resilience against evolving cyber threats and perform regular cybersecurity assessments and audits to identify vulnerabilities.
If there is an incident, it’s critical to notify customers and clients of the breach, restore services, and remediate extortion attempts. In addition, there will likely be damages to pay to those affected by the breach.
Cyber insurance as a significant component in risk management strategy. A cyber liability insurance policy can help you to cover the expenses associated with a cyber hack. Some commercial cyber liability policies even cover loss of business while your systems are compromised or unavailable. An agent can help you determine your needs based on your risk exposure.
A comprehensive cyber liability policy allows city governments, law firms and businesses to recover financially and manage reputational damage by providing the means to communicate transparently with the public and clients.
Are Cyberattacks Covered by General Liability Insurance?
Most likely, no, cyberattacks are not covered in a general liability premium for cities or law firms. Municipal insurance generally covers liabilities such as damage to public property, injuries, and claims filed by employees and third parties. Cyber insurance may even be excluded.
Business Owner Policies may incorporate some cyber coverage, but they typically offer minimal protection and exclude aspects such as funds transfer fraud (FTF), data compromise involving paper documents, social engineering, hardware replacement, and coverage for lost income.
Getting the Right Cyber Liability Coverage
Comprehensive cyber liability coverage is a responsibility municipalities and law firms cannot afford to ignore. Coverage can be customized to address specific threats that may be more prevalent in your industry.
A tailored approach helps ensure protection against persistent and evolving cyber threats. This financial safety net ensures municipalities and law firms recover as quickly as possible without compromising essential services.
A typical comprehensive cyber liability policy may include the following:
- Security Breach Response: Coverage for losses and expenses directly associated with incident recovery activities.
- Security Breach Liability: Coverage for third-party liabilities the insured is legally obligated to pay.
- Restoration of Electronic Data: Covers the cost to replace or restore electric data or computer programs.
- Public Relations Expense: Coverage for fees and costs to restore reputation in response to negative publicity.
- Cyber Extortion: Coverage for expenses related to investigation, negotiation and payment of extortion threat and ransom.
- Business Interruption: Compensation for financial losses due to a disruption of normal operations caused by a cyber incident.
- PCI Fines and Penalties: Coverage for loss and defense expenses related to noncompliance with the Payment Card Industry (PCI) Data Security Standards (DDS).
Additional optional insurance can be added for things like hardware replacement, telecommunications fraud, post-breach remediation, and other liabilities.
A Proactive Approach to Cyber Threats
Cybersecurity insurance policies can be complex. It’s important to speak to a cyber liability insurance expert who understands the unique risks local municipalities, law firms, and businesses of all sizes face in the digital age.
Cyber insurance offers a proactive approach to cybersecurity with risk assessment services and guidance to help identify and strengthen vulnerabilities to keep businesses ahead of cyber incidents.
Reach out to SBInsure to learn more about cyber liability coverage in Franklin and surrounding counties.
