Baltimore bought $20M in cyber insurance. Such policies are becoming more common

In the wake of the spring’s ransomware attack against city government computer networks, the City of Baltimore took a step this week toward protection in the event of future cyber attacks. But instead of technology, this particular purchase involved insurance.

The Baltimore Board of Estimates, which votes on spending decisions for the city, approved the purchase of cyber liability insurance for a total of about $835,000. Between two policies from Chubb Insurance and AXA XL Insurance, the city has $20 million in cyber liability coverage.

According to city documents, this provides for cyber incident response coverage, as well as costs of business interruption and digital data recovery, among other provisions.

While work is ongoing of “building a better and stronger and more protected network” to prevent future attacks, these policies offer a “safety net,” said Sheryl Goldstein, the mayor’s deputy chief of staff of operations. Cyber attacks are becoming more common against public entities, as Baltimore was among more than 20 cities to be hit with a ransomware attack this year.

We cover plenty of local companies that are offering ways to secure and protect data. At the same time, companies purchase insurance policies to protect against unforeseen losses. Cyber insurance brings this protection into the digital realm.

In general, cyber insurance is designed to provide for protection in the event of unexpected data loss, or if systems become compromised and are rendered inoperable, said Jeff Bathurst, director of SC&H Group’s IT Advisory Services practice.

It’s a growing tool for any organization that leverages technology. On the one hand, the threat landscape is changing all the time outside an organization. And inside, there is a risk that the people operating that technology will make a mistake.

Increasingly, business-to-business arrangements include requirements that companies have cyber insurance in place, as well: “It should be a part of the standard insurance portfolio for every organization,” Bathurst said.

In the event of a breach, a cyber insurance company coordinates third-party teams to provide legal help, as well as technology expert to help remediate the breach. Some insurance companies also work with teams that negotiate with attackers who are holding data at ransom on a company’s behalf — though it’s not clear whether the city’s policy has this service.

The City of Baltimore is spending less than a million dollar for insurance. Contrast that with $18 million that city officials have said was spent to recover from this year’s ransomware attack.

In the field in general, Bathurst said the insurance product continues to evolve even as it becomes more ubiquitous. Insurance companies are working to come up with more accurate models, while companies are still figuring out how much cyber insurance coverage they need.

For companies, Bathurst said, “one of the biggest challenges for people trying to address a cybersecurity event is, how far does it go and will we ever know?” Because unlike theft of a physical item, cyber attacks infect a network and spread, making it harder to understand the extent.