How Public Entities Can Better Manage Cyber Risks
Cities, towns and municipalities face unprecedented challenges in today’s changing risk environment:
- Balancing limited budgets in a volatile economy.
- Protecting citizens amidst continuing civic and geopolitical unrest.
- Competing to attract and retain skilled workers in a tight labor market.
- Overcoming supply chain disruptions to deliver essential services.
Each of these issues warrants careful attention and consideration. Yet, according to the 2024 Travelers Risk Index, cyber threats remain a top concern.
62% of survey participants reported that they worry some or a great deal about cyber risks.1
79% of survey participants agreed that it is hard to keep up with the evolving cyber landscape and latest threats.1
From AI to IoT, public entities are increasingly under pressure to upgrade outdated systems and adopt new technologies that can help better protect and serve their citizens. But becoming a “smarter,” more connected city can exacerbate existing, or create new, cyber-related vulnerabilities — and even the most well-funded municipalities may struggle to secure the resources required to effectively manage the risk.
Cybersecurity can be considered a civic duty.
Public entities handle sensitive information that needs protecting, from personally identifiable information (PII) for citizens and employees, such as social security numbers, medical records and financial information, to classified government information. They may also be responsible for securing the critical infrastructure and vital services their constituents need to live, work and thrive. Today that can mean modernizing systems and digitizing the processes that allow municipalities to effectively treat wastewater, extinguish fires, balance budgets, run community programs, distribute energy, provide emergency services, maintain roads and buildings and more.
As civic organizations increasingly rely on technology to meet these obligations, safeguarding the people, programs and property under their jurisdiction from the potentially devastating impact of a cyber incident is more important than ever. Just one data breach or cyberattack can result in:
- Loss of sensitive data. Theft, compromise or destruction of PII could cause harm to citizens, vendors and other municipal partners.
- Erosion of public trust. Reputational damage and loss of faith in an organization’s ability to protect information and individuals can impact a public entity’s ability to carry out its mission.
- Disruption of critical services. The inability to provide vital healthcare, transportation, energy and other civil services to communities can put lives and livelihoods in jeopardy.
- Financial losses. The costs to mitigate the impact of a cyber incident, including investigating the cause, restoring systems and data, repairing reputational damage, paying settlements and fines or covering legal and consultative fees, add up quickly.
Public entities remain an attractive target for cybercriminals.
Cities, towns, municipalities and other publicly funded organizations may face unique challenges, including budgetary constraints, that may make their infrastructure more susceptible to cybercrime such as:
- Outdated technology. Legacy systems may be unable to support the latest security patches or most up-to-date, secure versions of software and operating systems.
- Organizational complexity. Lack of centralized IT management and oversight between municipal departments can undermine enterprise-wide network administration and cybersecurity efforts or goals.
- More access points. Connected cities have larger attack surfaces — or “perimeters” — giving cybercriminals more endpoints that can be exploited to gain access to their entire network.
- Lack of universal standards. Networks managed by non-integrated teams of in-house staff and third-party providers often lack cohesive cybersecurity and risk management strategies, rules and roles.
The “perimeter” is everywhere, so “layers of protection” may be best.
Many organizations focus cybersecurity efforts on protecting their networks from outside threats, believing that a strong perimeter defense will keep them safe. But the truth is that the “perimeter” as we once defined it has evolved and now exists everywhere. It’s the employee that makes a remote connection from a coffee shop. It’s the interface to a water treatment controller. It’s the sensitive personnel data stored by your HR cloud provider. Each of these access points make up the new perimeter, which calls for a different mindset about cybersecurity: It’s not about bigger and thicker walls preventing the outside from penetrating the inside anymore; it’s about having several overlapping, complementary layers of defense at every location, on every device and for every way business is conducted throughout your organization.
Also consider that public entities with limited financial and human resources can often be forced to make tough choices and trade-offs when it comes to cybersecurity. That may mean attention and funds get disproportionately allocated to shore up what are believed to be the most important controls (such as perimeter firewalls), rather than protecting what may actually be the greatest vulnerabilities (such as not verifying the identity of a user logging in as an administrator).
There’s a security adage that goes something like this: an attacker only needs to be lucky once, but the defenders need to be lucky every time.
All it takes is one opening such as:
- An employee falling for a phishing scheme.
- Failing to verify a user’s identity.
- Outdated software.
- Poor password policies.
To give cybercriminals the “in” they need to:
- Compromise or hold data hostage.
- Eavesdrop or redirect payments.
- Endanger employees and citizens.
- Bring municipal operations to a halt.
Therefore, no cyber strategy should be considered complete without investment in the following basics:
- Implementing a Multifactor Authentication (MFA) system.
- Keeping systems up to date.
- Monitoring systems with Endpoint Detection and Response (EDR).
- Having an Incident Response (IR) Plan in place.
- Securely backing up your critical data and systems.
Beyond controls, cybersecurity starts at the top.
Maintaining proper cyber hygiene is more than a matter of implementing controls. It must be part of the culture, and the tone must be set from the top. Leadership must champion and participate in organization-wide cybersecurity efforts, and should consider implementing practices such as those recommended in the federal Cybersecurity & Infrastructure Security Agency’s (CISA) “Partnering to Safeguard Localities from Cybersecurity Threats Toolkit”:
- Establishing a culture of security by including and aligning cybersecurity goals with overall organizational goals.
- Selecting and supporting a “Security Program Manager” to report on progress and roadblocks. The Security Program Manager can be anyone with the appropriate level of authority in your organization and does not have to be an IT or cyber expert.
- Reviewing and approving your incident response plan, as well as participating in tabletop exercises in collaboration with leaders across the organization.
- Supporting your organization’s IT leaders, including making announcements about cyber initiatives.
Or, for organizations with limited resources:
- Work with the state/local planning committees to leverage the State and Local Cybersecurity Grant Program (SLCGP), which provides funding to support state, local, tribal and territorial (SLTT) governments’ efforts to address cyber risk.
- Consider implementing free or low-cost services, such as the free “Cybersecurity Services and Tools” available from CISA, to make near-term improvements when resources are scarce.
- Ask more of technology providers, requesting that all technology used for core government functions have strong security controls enabled by default, for no additional charge.
A solid cybersecurity strategy includes a solid insurance policy and provider.
Public entities are exposed to an ever-evolving landscape of cyber risk. While establishing the proper controls can help reduce the likelihood and impact of an incident, none can fully eliminate the risk. A trusted insurance partner is important, as is a robust cyber policy, like Travelers CyberRisk for Public Entities, which can offer an extra layer of protection, providing critical coverages and risk management services to help effectively plan for, respond to and recover from an incident while minimizing the potential impact on your organization and the people, data and property it is entrusted to serve and protect.
Contact your insurance agent or a Travelers representative to discuss your specific cyber coverage needs.
5 Cyber Readiness Practices for Public Entities
1. Implement Multifactor Authentication (MFA)
MFA includes the use of two or more authentication factors to verify a user’s identity prior to allowing access to IT resources. Factors can include:
- Information only the user knows, such as a password or passphrase.
- A token, smartcard or device.
99.9% of account compromise attacks can be prevented by using MFA.*
2. Keep Systems Current
Apply the latest patches for security weaknesses in order to:
- Help track, obtain and validate available patches.
- Permit priority-based patching, with critical patches being applied as soon as possible.
- Perform reporting and auditing to detect if a patch fails anywhere on the network.
3. Use Endpoint Detection and Response (EDR)
To help provide advanced, automated detection of suspicious activity, intrusions and attacks in real time, protect endpoints, including:
- Network servers and hardware
- Cloud-based apps
- Mobile and desktop devices
- Internet of Things (IoT) devices
- Operational technology (OT)
4. Have an Incident Response (IR) Plan
To limit the damage and lessen the time it takes to return to “normal” operations following a cyber incident, an incident response plan should outline:
- Who does what
- How it gets done
- When it gets done
5. Back Up Data
Adopt a tiered strategy to reinforce your data by:
- Keeping an additional backup copy made on a local storage device in a separate and secure location every week.
- Backing up data frequently to one location, such as using a remote service each night.
- Storing at least one copy offline.
Investing in cyber insurance can be a smart strategy, too.
Travelers CyberRisk is a modular cyber insurance solution for public entities, offering 16 insuring agreements, including potential coverage for:
- Liability
- Business Loss
- Cybercrime
- Breach Response
To learn more about cyber insurance for public entities, visit:
travelers.com/cyber-insurance/public-sector.
*https://www.travelers.com/iw-documents/travelers-institute/TravelersInstitute-US-CybersecurityGuide.pdf
This information is for general informational purposes only. None of it constitutes legal or professional advice, nor is it intended to create any attorney-client relationship between you and the author. You should not act or rely on this information without seeking the advice of your own attorney or other professional advisor. Travelers does not warrant that adherence to, or compliance with, any recommendations, best practices, checklists or guidelines will result in a particular outcome. In no event will Travelers or any of its subsidiaries or affiliates be liable in tort or in contract to anyone who has access to or uses this information. Travelers does not warrant that the information in this document constitutes a complete and finite list of each and every item or procedure related to the topics or issues referenced herein. Furthermore, federal, state or local laws, regulations, standards or codes may change from time to time and the reader should always refer to the most current requirements. This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy or bond issued by Travelers. It is not a representation that coverage does or does not exist for any particular claim or loss under any such policy or bond. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law.
The Travelers Indemnity Company and its property casualty affiliates. One Tower Square, Hartford, CT 06183 ©
2024 The Travelers Indemnity Company. All rights reserved. Travelers and the Travelers Umbrella logo are registered trademarks of The Travelers Indemnity Company in the U.S. and other countries. BPSIN.0010 REV 4-24
Sources:
1Travelers Risk Index, The Travelers Indemnity Company, 2023. (1,202 total business insurance decision-makers in many industries were surveyed: 108 construction, 71 real estate, 101 healthcare, 110 technology, 106 retail, 86 transportation, 56 wholesalers, 110 professional services, 106 manufacturing, 164 banking, 264 publicly traded companies, 96 nonprofits, 46 public sector.
