Ransomware can hold cities hostage. Will cyber insurance help?

As the director of the Baltimore mayor’s office of emergency management, David McMillan prepares for the worst. He plans for and coordinates the response to power outages, storms, and other hazardous situations. 

In early May, Mr. McMillan faced a new emergency – a ransomware attack on the city’s computers. The malicious software shut off email communications, stopped online bill payments, and locked the city’s files. City employees wandered City Hall, uncertain what to do sans computers.

“The most important role for emergency management during a cyber incident is to ensure continuity of operations,” says Mr. McMillan, in an email. But a growing number of cities, including Baltimore, are beginning to sketch boundaries around what lengths they will go to to return to business as usual.

This is one type of disaster where money can, in a sense, resolve the problem. As the name suggests, ransomware attackers typically offer to restore full server access – for a price. Cyber insurance can, in theory, help municipalities that have fallen victim to such attacks get back to business quickly. But for many city officials, the idea of using insurance to negotiate with hackers presents an ethical challenge because it rewards cybertheft.

Hackers are undoubtedly aware that cities have access to such insurance policies, says Fleming Shi, chief technology officer at Barracuda Networks, a California-based cybersecurity company. They may feel emboldened to ask for larger sums. “They’re going to see that as a nice fat check,” he says.

More than 70 state and local governments have been subjected to ransomware attacks in 2019, according to research by Barracuda. In December, city governments in Pensacola, Florida, and New Orleans both found their computer systems held hostage. Without insurance, municipalities face the risk of bearing a costly attack all alone. But with insurance, municipalities become capable of potentially a bigger payout for the assailants.  

In June, such insurance checks helped two cities in Florida regain access to their systems at a fraction of the ransom request. When Lake City was charged a ransom of about $460,000, the city itself was only on the hook for a $10,000 deductible; cyber insurance picked up the difference. Riviera Beach used insurance to pay off a roughly $600,000 ransom, after paying a $25,000 deductible.

In both cases, ransomers walked away with a windfall. But the motive behind targeting municipalities with ransomware is not always solely financial.

Voter information or other private, personal information held by municipalities can be stolen in a ransomware attack, Mr. Shi says. In addition to locking the system, attackers can gain access to a system’s files – a problem that paying a ransom does not solve.

Sudhin Thanawala/AP

County Sheriff Janis Mangum stands in a control room at the county jail in Jefferson, Georgia, Sept. 12, 2019. A ransomware attack in March took down the office's computer system, forcing deputies to handwrite incident reports and arrest bookings.

When Baltimore Mayor Bernard “Jack” Young received a ransom demand of about $76,000 in Bitcoin, he refused to pay. That decision meant that the city instead absorbed more than $5 million in systems repair and data recovery.

Over the summer, Mr. Young helped rally his mayoral colleagues behind a pledge to stand “united against paying ransoms in the event of an IT security breach.” The resolution, which he co-sponsored with Las Vegas Mayor Carolyn Goodman, was unanimously adopted by more than 1,400 mayors represented by the U.S. Conference of Mayors.

The resolution to not pay ransoms did not prevent Baltimore from investigating and eventually purchasing cyber insurance. In October, Baltimore’s Board of Estimates voted unanimously to purchase two policies, totaling $800,000 for one year of coverage.

The policies’ total coverage of $20 million could be used to offset costs incurred by business interruption, and to pay for investigation and response teams.

The trend over the past five years has been toward having a cyber insurance policy as a best practice, says Josh Zelonis, a principal analyst at the Massachusetts-based market research company Forrester. But Mr. Zelonis called paying a ransom with insurance “a very touchy area.” 

John Fokker, head of cyber investigations for McAfee Advanced Threat Research, also sees overall benefits in cyber insurance.

“No matter how secure your organization is you will always be left with that last piece of risk that you cannot cover with regular IT systems,” says Mr. Fokker, a co-founder of the international No More Ransom Project. “The insurance can cover that part and it will cover any additional costs, which you have to make after an attack takes place.”

Mr. Fokker, who formerly worked in law enforcement and helped author the section on ransomware in the 2020 Threats Predictions Report for McAfee Labs, put it clearly: “Cyber insurance doesn’t protect you against ransomware.”  

As Baltimore’s new cybersecurity committee, created in the wake of the May attack, held its first hearing in November, emergency management director Mr. McMillan fielded council members’ questions about what is being done to prepare and plan for future attacks.

“Lots of other major American cities were reaching out to me,” Mr. McMillan told the committee members. The other cities wanted to know how they can improve and prepare for a cyber incident.

Mr. Shi urges municipal leaders and residents to think about cybersecurity as a regular component of emergency management.

“Just like we test the city’s capabilities to respond to fire,” says Mr. Shi, “we have to have our citizens stand up and say, ‘How is my data protected?’”

Editor's note: This article has been updated to correct John Fokker's affiliation with McAfee. He is head of cyber investigations for McAfee Advanced Threat Research.