Late last year, it was announced that the major aluminum manufacturing firm, Norsk Hydro AS, received a $3.6 million cyberinsurance payout – the first around highly publicized, extensive cyber breach of March 2019. The large ransomware attack struck the company’s U.S. facilities – before spreading throughout the company, resulting in millions of dollars lost – destabilizing Norsk Hydro’s operations until the summer months. The payout covered merely six percent of the multi-million-dollar costs created by the incident and its aftermath. 

Investigators evaluating this cyberattack were quick to warn other organizations about ransomware risks and cybersecurity vulnerabilities. As global insurers face more cases of ransomware each year, the need for cyberinsurance – to cover the exorbitant expenses and variety of incidents we’re already seeing – falls not only on organizations, but also on cities.

Urbanization is speeding up, with the number of megacities projected to grow to 43 by 2030. Digitization is rapidly transforming urban services and supply-chains across power, transport, commerce and government in developing and developed countries alike. As we embrace many-to-many connectivity to deliver IoT these services, we must protect the digital side of city infrastructure with more robust cybersecurity, considering urban resilience and cyber resilience in tandem.

When Risk Becomes Reality

A city’s cybersecurity risks might involve personally identifiable information, like incidents involving lost or stolen confidential data, or insider risks, which could occur when such information is shared through personnel via carelessness, mistake, or sabotage. On the other hand, strategic external hacking on city systems can cause even more damage to equipment and software – and may require outside experts to help remediate, incurring more costs.

The financial and legal implications for a city that experiences a cyberattack are extensive. Hacking may include financial fraud, or other damage to financial systems. There may be additional supplier risks, if a city fails to take reasonable steps to protect suppliers' information, personnel, or property. Failures of compliance come with additional liabilities and significant financial penalties if negligence can be shown, with further litigation expenses incurred as a result. Such hacks can also create significant second or third-party risks, including impure water, environmental damage, fire, and automotive accidents; and a wide range of damage to residents, visitors, employees and property.

Evaluating a City’s State of Security

When looking at a city – beyond asking about its budgets, personnel and whether it is well-known enough to be a target of geopolitical hackers – cyber insurers consider whether there already has been a hack (attempted or successful) on that entity in the past. But as hacks become more sophisticated, insurance assessments must consider a number of additional factors. 

First, a city risk assessment must consider its security culture. At worst, a city may have no security organization at all; at best, it could have a cross-functional, active and coordinated group of responsible individuals. But cities and insurers should also examine the security architecture in place: do interactions occur between operational systems and central data centers, or are operations and conventional IT protected from each other? And do systems work securely end-to-end, or is security more limited, creating risk at various hand-off points?

And beyond structure, how does the city administer its security? Does it follow standards-based procedures, or is it more ad-hoc? Can it be proven that processes are followed, in practice?

These questions often come down to the city’s personnel requirements and processes. A city might have rules and mechanisms in place for handling personally identifiable information, but not for financial systems. Training personnel for basic incidents and blackmail risks that commonly occur in IT and operational systems – whether contractors or full-time employees – is best practice. Cities must evaluate their ability to prevent and detect a range of security incidents, so that in the case of a breach, they can enact an appropriate response management plan. 

Down at the device security level, if a city has not implemented role-based access control and managed identities for access to its systems, applications and data, a hacker may gain access to the entire city’s systems once network access is obtained, making the environment at a much higher risk for a single devastating cyberattack. If it’s common to see unmanaged device identities with device-specific passwords, default passwords, or entities that lack passwords entirely, then insurers should consider that a great risk to the city’s security. Systems, applications and data should have managed and controlled identities and lifecycles – with access granted on need only, and time constrained where appropriate – ensuring that someone with network segment access cannot access all systems. 

Shifting the Status Quo

While many cities may simply choose to take an "umbrella" approach to cybersecurity insurance policies (adopting one plan that covers a number of risks, rather than trying to itemize individual risks in themselves), it’s important to recognize that cyberinsurance should be designed to address and insure a broad range of issues, to ensure claims will be covered when – not if – some such incident occurs. 

Likewise, insurers will become increasingly adept at recognizing those security approaches deserving of lower premiums, from integrated cross-functional security processes to comprehensive identity and access management. With automation extending throughout cities’ infrastructure, data-driven cybersecurity systems need to create a traceable and tamperproof record of events for cities and their insurers, enabling analysis and correction of issues, whether in real time or after the fact. 

As cyber insurance becomes more complex and expensive, cities will have the fiscal and operational motivation to put personnel, policy and technical measures in place that can prevent cyberattacks – or at least limit the scope of any breaches that do occur. Personnel training and security coordination, dynamic risk monitoring, data tamperproofing, comprehensive access control and early warning systems around cybersecurity events are the best way to do so, while building cyber resilience within digital urban infrastructure.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.