Cyber-attacks against businesses may dominate the news headlines, but recent events point to the growing number and range of cyber threats facing public entities.
Common cyber risks government organizations face include social engineering, phishing, malware, ransomware, wire fraud, and cryptojacking (which involves a hacker hijacking into a system to mine for cryptocurrency such as bitcoin). Government organizations are particularly at risk of data breaches as a result of lost or stolen personally identifiable information (referred to as PII) such as Social Security Numbers, credit card and bank account numbers, and personal health information.
At the 2019 California Joint Powers Insurance Authority (California JPIA) Risk Management Educational Forum, members participated in a session entitled Cyber & Ransomware Exposures — One Member’s Experience & Lessons Learned. Featuring Erich Falke, Chief Information Security Officer & Cyber Risk Practice Manager at ePlace Solutions; Kristopher Kleiner, Data Privacy Associate at Cooley LLP; and Jim Thyden, California JPIA Insurance Programs Manager, the presentation was part of the Forum’s Opening Session.
During the session, recently retired Police Chief Steve Hunt from the Azusa Police Department, shared the member’s recent experience with a cyber-attack. The department was hit by a ransomware attack when a staff member opened an email attachment containing malicious code that locked up files in the department’s network drives.
“The email was a well-authored fake purported to be from someone who had legitimate business with the city,” said Kleiner, who served as the breach coach during this incident.
According to Kleiner, the ransomware attack demonstrates the importance of exercising caution with email links and attachments. As a result of the attack, Azusa Police Department had no access to important data for several weeks while a forensic firm worked to decrypt and recover the department’s files. Azusa officials communicated their experience with other Authority members. This proactive sharing of information and resources saved other public safety departments from a similar ransomware attempt.
All California JPIA members are provided protection through the Authority’s Cyber Liability Program, for which Brit is the reinsurer. The program provides coverage of $1,000,000 per occurrence and aggregate per member per protection period for all coverages triggered.
To mitigate the privacy and security risks associated with common cyber threats, Authority members can access comprehensive services from Brit Data Safe powered by ePlace Solutions. Resources include a knowledge center of 500 resources and tools developed by privacy/security professionals, cybersecurity training for employees including interactive online courses and webinars, and unlimited expert advice cybersecurity experts and lawyers.
Under the Authority’s cyber insurance coverage, members also have access to a free pre-paid cyber advice line. This line offers advice from experienced industry professionals on all privacy/data security issues including risk assessments, incident response planning, vendor management, the California Consumer Privacy Act (CCPA), data breach prevention, and much more.
The presentation materials for the Cyber & Ransomware Exposures — One Member’s Experience & Lessons Learned and other 2019 California JPIA Risk Management Educational Forum sessions are available via the forum website.
Providing innovative risk management solutions for its public agency partners for more than 40 years, the California Joint Powers Insurance Authority (California JPIA) is one of the largest municipal self-insurance pools in the state, with more than 100 member cities and other governmental agencies. Members actively participate in shaping the organization to provide important coverage for their operations. The California JPIA provides innovative risk management solutions through a comprehensive portfolio of programs and services, including liability, workers’ compensation, pollution, property, and earthquake coverage, as well as extensive risk management training and loss control services.