The decision Wednesday to buy specialized insurance comes as U.S. cities face a growing threat of hackers seizing municipal computer systems and demanding ransoms that can top $1 million. Baltimore, which didn’t previously have cyber insurance, has estimated the attack cost at least $18 million in recovery expenses and lost revenue.
A Wall Street Journal survey last year found that a majority of the 25 most-populous U.S. cities had cyber insurance or were looking into buying it. Though policies vary, insurance can cover hackers’ extortion demands, legal costs, computer-forensics expertise and expenses stemming from having government services knocked offline.
The policies approved by Baltimore’s five-member Board of Estimates will include incident-response coverage, business-interruption loss and ransom payments. One-year premiums for a pair of $10 million cyber-liability policies, one from Chubb Insurance and the other from AXA XL Insurance, will total about $835,000. The city’s risk-management office says it followed a competitive process that included 17 insurance carriers.
“As the world changes and as criminal acts change, you have to adjust,” City Council President Brandon Scott said. “This is an adjustment well worth it to protect the citizens of Baltimore and most importantly protect their taxpayer dollars in the event this happens again.”
Sometimes insurers will advise cities to pay ransom demands as the path of least resistance, a step Baltimore refused to take in May after hackers froze thousands of city computers and demanded about $76,000 in bitcoin to unlock them.
Baltimore Mayor Bernard C. “Jack” Young later sponsored a resolution adopted by the U.S. Conference of Mayors that opposed payments after ransomware attacks. Such attacks involve cybercriminals invading networks, encrypting files and seeking payments to unlock them. Mr. Young, a Democrat, has said paying criminals only encourages more lawlessness.
Cybersecurity professionals say even when a city pays a ransom, it can still incur major costs to restore systems, ensure they aren’t still infected and bolster defenses to ward off future attacks. On Wednesday, Baltimore officials detailed nearly $3.8 million in emergency contracts with IT firms related to the May ransomware attack. They included $1.3 million for enhanced detection and remediation services, $817,000 for network monitoring, and $772,000 for forensic services.
In a report last week, Chubb said it saw more ransomware claims in the first half of this year than in all of 2018, a year in which the number of such attacks it saw jumped 84% from 2017. Also, hackers are getting more sophisticated while using new ransomware strains to launch targeted attacks, and some ransom demands are reaching the six- and seven-figure range, Chubb said.
The Federal Bureau of Investigation has said there is a growing pattern of ransomware attackers going after larger enterprises rather than individual users. The bureau says most ransomware cases in the U.S. aren’t publicly reported and victimized companies are particularly eager to avoid the negative publicity.