The growing pace and sophistication of cyberattacks on U.S. public finance entities has led to rising costs and challenges in acquiring robust cyber insurance coverage.
Fitch Ratings says public entities are increasingly required to undergo stringent security audits and adherence to industry best practices in order to purchase cyber insurance. Cyber insurance may become increasingly unaffordable for public entities with smaller budgets as premiums continue to climb and if insurer guidelines necessitate increased staffing and costs to update older systems and software.
Without the ability to adequately transfer risk, public entities could face greater financial and reputational risks from cyberattacks, which could have negative credit implications, according to Fitch.
According to a 2021 survey of local governments by the Public Technology Institute (PTI), 59% of municipal information technology executives report that their cybersecurity budgets increased from the previous year, yet the majority also felt their cybersecurity budget is inadequate to support ongoing and evolving security initiatives.
The rise of high-profile ransomware incidents in the public finance sector beginning in 2018 led entities to turn to cyber insurance as a means of risk transfer. With ransom demands generally in the five-digit range, affordable and easy-to-obtain cyber insurance helped reduce financial risk.
However, with soaring ransom demands and recovery costs, insurers have adjusted premiums and prerequisites. With some ransomware demands climbing to six and seven digits, PF entities are getting priced out of quality and comprehensive commercial cyber insurance policies. Cyber insurers paid out about 73% of premiums collected last year, a dramatic rise from about 34% in 2018. Premiums on cyber insurance continue to rise in the wake of the coronavirus pandemic.
Despite higher costs, more and more public finance entities are acquiring cyber insurance. About 90% of respondents in PTI’s survey reported having cyber insurance, an increase from 78% the previous year, and 69% noted that their cyber insurance premiums increased since they were last renewed.
Public finance entities are also experiencing diminishing coverage limits, forcing some entities to purchase multiple policies to achieve the desired level of coverage. Reduced coverage may be more economical but it weakens the effectiveness of cyber insurance as a tool for risk transfer.
In addition to commercial insurance, state-level risk pools are important providers of cyber insurance for many smaller to mid-sized municipal issuers. The Association of Governmental Risk Pools (AGRiP) estimated at least 80% of all local public entities participate in one or more risk pools, which are typically established on a membership basis and oriented toward same-kind government groupings, such as school districts or counties. These pools, in which members agree to share the cost of risk, were established in the US in the 1970s and 1980s to reduce and stabilize general insurance costs when many commercial insurers did not serve the PF market. Public entity risk-sharing pools do not have to deliver profits and external regulation of pools varies from state to state and by type of risk.
Trends in insurance cost pressures may be lagged in risk pools compared with commercial insurance but will eventually drive increased member costs and/or expanded coverage at a higher price point. This direction is highlighted by the Texas Association of School Boards (TASB) Risk Management Fund. Privacy and information security coverage was initially offered to members in 2014 for protection against cybercrime but it was available only in conjunction with a member’s school liability coverage. This type of coverage subsequently expanded and larger members with more complex systems had the option to purchase higher coverage limits based on their organization’s needs starting in 2019-2020, with TASB staff evaluating each member to determine the additional cost for requested higher limits.
This article originally appeared as a post on the Fitch Wire credit market commentary page at www.fitchratings.com. All opinions expressed are those of Fitch Ratings.
Interested in Cyber?
Get automatic alerts for this topic.