Nearly half of state governments had cyber insurance in 2019 and the number is expected to rise this year.
Local governments and other nonprofit issuers of tax-exempt bonds also are joining the growing ranks of those using cyber insurance to ensure their continuity of operations and provide liquidity to make timely debt payments.
States that already have cyber insurance are expanding the number of agencies that are covered and some are allowing municipal governments to piggyback on their policies.
“Cybersecurity is a business risk to the continuity of government,” said Doug Robinson, executive director of the National Association of State Chief Information Officers.
“Local governments are the least prepared and have the least amount of discipline,” said Robinson. “It’s much more likely to occur than other risks that can disrupt the continuity of government.”
State governments are playing a crucial role.
Georgia, Wisconsin, Texas and other states have master state contracts with insurers that are available to local governments for cybersecurity response and remediation, said Robinson.
Some states have space available at their data centers or offer backup services.
The Colorado Threat Information Sharing (CTIS) network formed by the state of Colorado shares information among state agencies and local governments, industry and other non government entities.
Colorado was cited as an example of what states are doing in a joint white paper released last month by the National Governors Association and the National Association of Chief Information Officers.
The
Some states are taking a “whole of state” cybersecurity approach that recognizes cybersecurity is not simply under the purview of the executive branch of state government, but recognizes that political subdivisions, higher education and school districts all face risks to the continuity of government and should be part of the discussion. They include private sector companies such as utilities in that equation.
A number of states have formulated a cyber disruption plan. NASCIO has produced a guide to this that may include the state police and homeland security.
Montana became the first state to take out a cybersecurity insurance policy in 2011.
“This market is not that mature,” said Robinson. “You’ve got less than 10 years of experience.”
Originally states took out coverage solely for the executive branch, but some states have expanded their coverage to include the legislative and judicial branches.
Georgia has policies with multiple carriers for all three branches of state government that also includes higher education and K-12 education.
Georgia’s $100 million in coverage is the highest among the states, Robinson said. “Most states are $10 million to $30 million for the major branches of state government,” he said.
Policies start with coverage for data breaches and notification of citizens or perhaps business interruption.
“There are states and local jurisdictions that believe that obtaining cybersecurity liability insurance actually incentivizes the bad actors to target you because they know you are going to have coverage,” said Robinson.
“The criminals have found out that ransomware is much more effective mechanism than data theft because the payment is instantaneous.”
The New York State Senate is considering legislation that would provide state funding to local governments to help them with cybersecurity while eventually banning the payment of ransomware, said Robinson.
“The FBI and cybersecurity researchers all advocate not paying ransom because it helps the cyber criminal ecosystem,” said Leroy Terrelonge, assistant vice president and cyber risk analyst at Moody’s Investors Service.
The advantage of cyber insurance is that the carriers have a checklist that will require a certain level of sophistication, cybersecurity hygiene and controls before they will underwrite a policy.
In an interview last month, Geoffrey Buswick, S&P Global Ratings managing director, observed that “not all cyber insurance will pay ransom.”
“When we see cyber insurance, like any other insurance we see it as a general positive,” Buswick said, because it might aid in a local government’s liquidity.
In November, S&P downgraded Princeton Community Hospital in West Virginia to BBB from BBB-plus, two years after a cyberattack weakened the hospital’s reserves, which already were declining because of operating losses. Another factor in the downgrade was the integration risk associated from the acquisition of a regional medical center.
In a November comment, Moody's noted as a credit positive that Ohio Gov. Mike DeWine signed legislation creating a civilian cybersecurity reserve force, named the Ohio Cyber Reserve, to protect local governments, critical infrastructure and businesses from the impact of cyberattacks.
Insurance is one of many factors the rating agency would consider.
“States have insurance for lots of different areas,” said Orlie Prince, a vice president and senior credit officer at Moody’s. “We may view it as a positive that they have cyber insurance to cover an attack in light of the fact we know that these attacks are increasing constantly.”
However, Prince added, “I don’t know if I see this as a factor that would affect a rating.”
