Article

How public entities can combat cyber risk: An integrated approach across people, capital and technology

July 24, 2018

By Sou Ford and Jason Krauss

Recent high-profile news events have shown that entire cities can be targets of cyberattacks or ransomware attacks with the potential to encrypt thousands of files and shut down municipal services. Earlier this year, a ransomware attack brought down Atlanta’s municipal government for five days and disrupted government services for several weeks.

Over a third of the municipality’s software applications – dozens of which were deemed critical – were disabled as a result of the incident, which was characterized as “one of the most sustained and consequential cyberattacks ever mounted against a major American city” by The New York Times. Well over $10 million was spent to recover from the ransomware virus. This attack and others like it have highlighted the vulnerabilities state and local governments face as they continue to rely on computer networks for their day-to-day operations.

Combatting cyber risk in the public sector

Like any organization, public entities should take a multi-faceted approach to combatting cyber risk by addressing people, capital and technology. The first step is to conduct a comprehensive cyber exposure analysis. There are risk quantification and assessment tools available that could determine the entity’s overall risk profile, which may include exposure stemming from third-party vendors.

Studies have shown that cyber risk is heightened when companies contract with vendors to access, process, store or transmit sensitive data, such as personal or protected health information. So many public entities outsource their network and data security and the management of its devices to third-party vendors under terms and conditions that include indemnity agreements. Before procuring insurance coverage, the entity should evaluate the terms of the contracts and the insurance coverage carried by the vendors. These steps could go a long way in transferring financial risk back to the vendor, who is often better positioned to prevent or promptly remediate a data breach.

Technology risks

Managing the technology component of an integrated cyber risk management program can prove to be challenging for many public entities, which are often restricted by limited budgets, outdated information technology (IT) systems and uncoordinated technology platforms. Public entities must therefore find more creative ways to address their technology risk and the use of third-party vendors. If deployed properly, this strategy could have certain advantages. First, third-party vendors may be able to provide upgrades to the IT equipment being utilized by the entity and its agencies, as well as provide new hardware, software and technology services.

The public entity, as well as the agencies under their purview, would have the ability to obtain upgraded products and services, subject to a multi-year contract, that would allow them all access to additional resources offered by these vendors. This would strengthen their technological safeguards and mitigate their cyber risk. Further, the public entity could see significant cost savings if its IT employees become employees of the vendor. A dedicated IT department for the often cash-strapped public entity may no longer be necessary, which would allow the entity to control costs by budgeting a known fee for services allocated to each agency that may be on the network.

People risks

Cyber risk presented by people involves the assessment of whether the public entity’s IT department has the right, or sufficient, talent and skills. The strategy of transitioning “inside” government IT employees over to a vendor may enhance the vendor’s understanding of the public entity’s business, a clear benefit to the vendor in carrying out their IT responsibilities. Outsourcing IT will also allow the right vendor to focus on onboarding and privacy training of new and current government employees on topics such as how to respond to phishing emails.

Capital risks

Finally, risk transfer should be a part of any strategy to combat capital cyber risk. This entails procuring affordable comprehensive first- and third-party cyberinsurance coverage with a relatively low retention and adequate limits. Taking into account the third-party vendor considerations discussed above may allow a public entity to assemble a more favorable cyber risk transfer program, featuring more affordable and broader coverage than what they had previously. These increased technological safeguards would likely improve the entity’s overall risk profile and help during the insurance marketing process.

Cybersecurity is a growing concern for the public sector, and just like for-profit corporations, public sector institutions can be impacted financially, operationally and legally, in addition to taking a reputational hit. Considering people, technology and capital risks as they relate to vendor relationships could be your best defense against a critical event.