By Ian Duncan
The Baltimore Sun
BALTIMORE — The attack on little Lake City, Fla., followed the familiar pattern: Hackers broke in after someone opened an infected email. Almost instantly, the city’s computer systems and records were locked up.
“Immediately we lost all internet, all phone service,” Mayor Stephen Witt said. Officials thought the city would have to “rebuild everything.”
But when they started turning computers back on and got a ransom demand, another option presented itself. Lake City’s insurance provider stepped in and began negotiations with the hackers.
And last week, the city council voted to pay. The bill would be about $470,000, but the city of 12,000 residents 60 miles west of Jacksonville would put up only the $10,000 insurance deductible. Faced with the consequences, Witt said, the city’s leaders were in agreement about paying.
“We would have lost a lot of information,” he said.
In Baltimore, where a debilitating ransomware attack in May has cost the city an estimated $18 million, top officials are now looking into whether the city’s current insurance might provide some coverage, and whether expanded protection could be a future option. Maryland’s IT department has also been assessing whether to get covered.
Lake City’s experience and that of another Florida city are sunny examples of the rapidly growing role of insurance providers in helping governments and businesses respond to cyberattacks. In each case, cities that faced losing valuable records avoided that calamity, and at a modest financial cost.
But the cyber insurance industry is still evolving and policies differ significantly in terms of what they cover, making shopping difficult. And the law governing them is not settled. Some large businesses have thought they were protected, only for their insurers to reject their claims, leading to court battles.
John Evans, Maryland’s top cybersecurity official, said he worries that as more organizations purchase insurance, it will only encourage hackers who see the prospect of a payout.
“It creates a whole other dilemma,” he said.
The FBI issued a statement this week reiterating its long-standing view that victims should not pay, saying that doing so “encourages continued criminal activity, leads to other victimizations, and can be used to facilitate additional serious crimes.”
But for victims without good backups, paying is often their only chance of getting back their data, some experts say.
Witt said he did have qualms about paying a ransom but felt he had to make the best choice for his constituents.
“If it was my money and it was my information, I can make that decision. If I’m looking out for the citizens of Lake City, I’ve got to make the best decision for them,” he said.
Baltimore City Councilman Isaac “Yitzy” Schleifer, co-chair of a committee reviewing Baltimore’s response to the cyberattack, said the city should buy insurance. “Responsible governance requires the appropriate coverage when tens of millions of dollars and government services are at risk,” Schleifer said.
The market for cyber insurance is growing rapidly as providers move to get into the new field.
Mike Volk, a vice president at broker PSA Insurance & Financial Services, said the Hunt Valley firm has been offering cyber insurance for about a decade and such policies have become one of its specialties in the last three or four years.
But if you line up five policies side by side, he said, you’d find significant differences between them.
“There is no universally accepted standard,” he said.
Volk’s firm markets coverage for small businesses with less than $5 million in revenue starting at $66 a month. A $175-a-month option includes security testing.
A municipal government such as Baltimore with a $2.8 billion budget —and a range of complex city services —would obviously pay far more, but Volk said how much would be difficult to estimate.
Evans said he’s seen a wide range of costs for insurance depending on what is covered, and is working to determine whether insurance would be a good value for Maryland state government. If officials can better secure their systems and have plans to recover quickly in the event of an attack, he said it might not be worthwhile —or perhaps only for some agencies that hold particularly valuable data.
“The biggest thing to keep in mind before getting cyber insurance is it’s always a risk-based approach,” Evans said.
Baltimore Mayor Bernard C. “Jack” Young has directed City Solicitor Andre Davis to research coverage.
“We will be in negotiations with our existing insurance companies regarding current policies and also looking to enhance coverage,” Davis said.
At a budget hearing last month, Council President Brandon Scott told Davis that he knew of businesses that had insurance and, after they suffered an attack, they turned to it to quickly get back up and running.
Davis replied by highlighting the limitations of insurance coverage.
“I’m not being glib or snarky, Mr. President, but insurance companies don’t like to pay,” he said. “When you fight them hard enough, sometimes agreements can be reached. The whole issue of what’s excluded, what’s covered are very complicated legal issues that we are looking at very carefully.”
In one high-profile dispute, snack food company Mondelez filed a $100 million lawsuit against its insurer Zurich for refusing to pay after the food company was hit by a ransomware strain known as NotPetya. The ransomware has been attributed to the Russian government, which is suspected of first deploying it in its conflict with Ukraine. Zurich cited a clause in its policy excluding acts of war.
Mondelez was relying on a property insurance policy and Volk, the broker, said a standalone cyber policy might have offered better protection.
What’s more, he said, insurers are under such competitive pressure they might be reluctant to deny a claim for fear of being drummed out of the market altogether.
As with many things in the field, Volk said, “It’s still in flux.”
It’s not clear that having insurance would have helped speed up Baltimore’s recovery. The ransom hackers demanded was much smaller than the sums the far smaller Florida cities were facing —about $75,000 —but officials say even if the city had paid it still would have needed to assess the vulnerabilities in its systems.
But a policy could have helped offset a wide range of the city’s $18 million costs.
Tim Francis, leader of the cyber team at insurer Travelers, which markets a cyber policy for government agencies, said the company offers help getting clients back online and covers lost revenue. It recently started offering coverage that helps clients strengthen their defenses against future attacks.
“It’s in nobody’s best interests if the system was vulnerable before … and you just bring the system back to where it used to be,” Francis said.
A week before Lake City officials agreed to pay the ransom, council members in Riviera Beach, another Florida city struck by ransomware, made the same call. Their insurance covered a $600,000 payout.