Premium prices are rising, insurers are becoming more selective about coverage and local governments are confronting the reality that even insurance claims monies cannot undue all the damage of successful cyber attacks. Local governments facing these rising costs need to ensure they’re getting the most from their dollars, and finance officials must be ready.
“CIOs very often report somewhere into administration or somewhere into finance. So, whether finance officers like it or not, they are responsible,” co-author and CDG Senior Vice President Teri Takai told GovTech. “But even with that, they’re responsible for establishing the budget: How much do we pay for cyber insurance? How much do we pay for preventative measures? How much do we set aside for incident response? So, it’s critical that they understand at least the components of it.”
Governments should use concrete data to examine their risks and options so they can compare how different cyber investments could reduce chances of suffering expensive attacks, according to the new Cyber Risk Savvyreport.
The GFOA-CDG reports urges local governments to model their likelihoods of falling to certain attacks as well as the extent of financial damage that might result. Then agencies would estimate how securing different types and levels of insurance coverage and adopting different cybersecurity controls could reduce those risks down to more acceptable levels.
“The burning question for everyone is the cost of cyber insurance versus what I get, and assessing the risk,” Takai said.
Knowing Your Options
There are plenty of contenders for governments’ cybersecurity dollars and finance officials should consider how different mixes of commercial insurance, self-insurance and cyber defenses could work for them. First, though, they need to understand the options.
Commercial cyber insurance is not a panacea, the report warns. Claims payouts help with recovery after an event but can’t fully undo the harms inflicted. Governments may still need to restore files, rebuild damaged reputations and tackle other issues that could have been avoided if the incident was prevented.
Insurance plans also often have restrictions, and agencies need to understand all the limits, sub-limits, deductibles and other nuances so they know exactly how much their plan covers. Retention policies can mean that agencies still must foot significant portions of the bill before coverage kicks in.
Because of such lingering costs and damages, agencies may find that their dollars are sometimes better spent on more preventative measures than on more insurance. Strong cyber defenses can also make affordable insurance more attainable, because insurers increasingly want to see applicants demonstrate good cyber postures.
Governments seeking to avoid high commercial premiums may also turn to self-insurance. Governments may opt to fully self-insure or just to assume a greater level of financial risk should an incident occur, then purchase a smaller — and thus cheaper — level of insurance to cover the rest.
Putting Price Tags on Cyber Risk
Finding the right investment approach depends on having a solid understanding of the risks. And talking about what’s a “high,” “low” or “medium” cyber risk isn’t good enough, the report states. The terms are too vague and subjective, with cautious and intrepid individuals having different interpretations of what “high” risks looks like, for example.
Instead, governments should try to express the situation with hard numbers. Framing risks in terms of statements like, “there is a 10 percent chance of a ransomware attack costing us more than $100,000 in the next year,” is clearer and thus more actionable, the report says.
Insurance firms make these kinds of calculations when modeling the risks of taking on prospective clients, and — while it’s not the same as securing a professional risk analyst, the report cautions — government officials can get a similar glimpse of this kind of thinking by using tools like the GFOA’s Ransomware Risk Quantification Education Model, which provides a Monte Carlo analysis.
Report co-author and GFOA Senior Manager of Research Shayne Kavanagh told GovTech that such analysis is like envisioning how events could play out for your organization in different alternate universe versions of the future.
“You’re creating thousands of different universes in which cyber attacks happen at different frequencies, different magnitudes, and then you’re finding out how robust your financial risk strategy is under all those different scenarios,” Kavanagh said. “So, if you’ve got a model that has 1,000 scenarios in it, and, let’s just say a cyber attack has a 10 percent chance of happening, then that model will have a cyber attack happening in roughly 100 of the 1,000 scenarios.”
Officials can look at the probabilities of attacks succeeding and probabilities that these result in different depths of financial losses. Then officials can factor in how adopting different preventive measures might draw down those costs. This lets officials estimate how much investing in a better backup system or in anti-phishing training, for example, might reduce losses and compare these against other possible approaches.
Governments can then consider whether they’d rather self-insure or purchase commercial insurance to handle any remaining costs unlikely to be mitigated by defensive measures. Using the model, they can predict how those choices could play out. For example, a government might find an 8 percent — or one-in-12 years — chance of incurring losses that outstrip the funds they have saved and can then decide whether they’re comfortable with this or prefer to purchase commercial insurance to cover such a scenario, the report states.
“[In your model,] you could also have different insurance policies, and you could also have different levels of reserves available to cover the risk retaining. And all these other uncertain variables can all be factored in so that, when you’re doing this across all these thousands of trials, each one of those things can be varied to see how robust your financial risk strategy ends up being,” Kavanagh said. “Let’s say you find your strategy ends up being robust under 950 of the scenarios in your 1,000-scenario model; that tells you you’ve got about a 95 percent chance of having a financially robust strategy in real life.”
The Data Challenge
Organizations can use data about the threat landscape from sources like the Multi-State Information Sharing and Analysis Center (MS-ISAC) and peer threat intelligence sharing groups to help inform their models, Takai said. Kavanagh also pointed to insurance pools and third-party cyber intelligence firms.
But threats and technologies change rapidly, so historical data will never be able to perfectly predict the future. Still, it’ll give agencies a better picture.
“The past is useful. It’s still valuable. You just have to accept the fact that it’s not immutable,” Kavanagh said.
Four Key Steps
The report urges local governments to make sure they understand their cybersecurity positions — including what data and systems are essential to protect, what likely threats are and what security already is in place — as well as use models to put their risks into concrete, quantitative terms. Next, officials need to look at the security options available, such as self-insurance or commercial insurance with different coverage and retention amounts, and to carefully pour over the details of the policies.
Once governments have settled on an approach, they’ll need to keep up with the fast pace of change by regularly reassessing the situation, including how threats have evolved and how updates to their own technologies or operations have affected their attack surfaces.
*The Center for Digital Government is part of e.Republic. Government Technology is a sister site to Governing. Both are divisions of e.Republic.