Public entities like all organizations face cyber threats that can upend their systems, cause reputational damage and result in significant losses. At this year’s PARMA (Public Agency Risk Management Association) conference on risk management, a panel discussion reviewed some of the types of cyber exposures public entities face. Public entities include towns, villages, boroughs, counties, housing authorities, special districts, utility authorities, public K-12, colleges/ universities, and social services.
Some examples of cyber claims by public entities include: Ransomware claims in which systems are inhibited or locked down until payment of the ransom; virus encryption attacks that have shut down municipal servers including a 911 center; and school districts experiencing a denial of service attack that overloads their servers and can shut down schools during the attack. The exposure on such claims can be anywhere from a few thousand dollars to several million dollars. It can cost hundreds of thousands of dollars just to investigate a data breach to determine whether any information was compromised.
Mitigating these and other types of claims is important for public entities, and involves:
- Developing and periodically testing an incident response plan that identifies an incident response team (including key stakeholders and the forensic and legal team) BEFORE the incident.
- Training employees to recognize threats. For example, if a computer is slow, experiencing pop-ups, or there are performance issues it could be a virus.
- Being vigilant about phishing or social engineering techniques. Criminals use a program or even something as simple as a phone call to get into the system password. The information is voluntarily provided to these fraudsters typically by duping individuals. These criminals are professionals and they often do their research into background issues so you trust the message.
- Examining URLs in emails or links they ask you to click. Sometimes one character being off in a URL will reroute you to a rogue site.
- Avoid downloading or opening attachments from an unknown sender.
- Assessing the adequacy of existing Cyber insurance coverage.
- Evaluating potential third-party/vendor risk and indemnification provisions to ensure they cover the full costs of a data breach, including notification costs and credit monitoring.