[BreachExchange] Baltimore Authorizes Purchase of $20M Cyberinsurance Policy

Thu Oct 17 00:51:24 EDT 2019

https://www.govtech.com/security/Baltimore-Authorizes-Purchase-of-20M-Cyberinsurance-Policy.html

When Baltimore officials refused to pay the hackers that had locked
them out of key parts of their network in a May ransomware, the
resultant price tag was some $18 million in recovery costs and lost
revenue. That was, at least partially, because the city was not
covered by cyberinsurance.

In an apparent effort to make sure such a costly loss never happens
again, the city's Board of Estimates approved Wednesday the purchase
of two separate cyberliability insurance plans from the property and
casualty insurance companies Chubb and AXA XL.

According to the board's agenda, the city's Office of Risk Management
conducted a competitive selection process among 17 different carriers
that resulted in contracts with the two companies. The city will spend
a combined amount of $835,103 on the insurance: Chubb will provide $10
million in coverage, with a price tag of $500,103, while the city will
spend $335,000 purchasing another $10 million from AXA XL. The
insurance is effective as of the Board's approval.

Cyberinsurance — still a relatively experimental solution to an
evolving problem — is being purchased by governments across the
country as a backstop for the kind of incidents Baltimore suffered.

The purchase will secure a variety of coverage for the city. It
includes cyberincident response coverage, which provides services,
resources and personnel after a cyberincident; business interruption
loss, which covers net profits that would have been earned were it not
for an attack; and network extortion, which covers expenses necessary
as the result of extortion attempts, potentially including ransom
payments.

The city is also getting coverage for digital data recovery,
contingent business interruption and extra expense loss, among others.

For a city beset by internal strife, even the approval of Wednesday's
purchase apparently came with no lack of controversy. The board had
previously been ready to approve the purchase at the end of August,
but ultimately delayed approval due to the fact that City Council
President Brandon M. Scott and Comptroller Joan Pratt had not been
adequately briefed on the contracts, according to Baltimore Brew. The
contracts subsequently went through a review by the city's law
department.

The city also saw a string of controversies surrounding the attack,
including significant criticism of the city's former IT director,
Frank Johnson, who was chastised for lack of communication and
organization during and after the incident and who had also failed to
draw up an operational plan for such a scenario.

After taking leave in September, Johnson stepped down from his
position at the beginning of October, leaving the day-to-day
operations to his deputy, Todd A. Carter. A search for a permanent
replacement for Johnson will be happening soon, according to the city.