The Tell: Cybersecurity risks are growing for state and local governments, report finds

United States

In April, hackers leaked thousands of emails from the administration of Chicago Mayor Lori Lightfoot in response to the police shooting of 13-year-old Adam Toledo. In early May, the city of Tulsa suffered a ransomware attack that left city systems offline for weeks.

Cybersecurity is just as critical for state and local governments as for for-profit entities, and a report from Moody’s released Thursday assessed their preparedness.

“In recent years, local governments have been frequent targets of ransomware attacks; they have lost money through cyber-enabled fraud; and they have experienced significant data breaches,” Moody’s analysts wrote.

“In 2020, the COVID-19 pandemic resulted in a rapid and abrupt move to remote work, creating challenges for managing applications and data outside of traditional networks during a period of increased malicious cyber activity,” the report said.

The report comes as the broad threat to services and infrastructure posed by cybercriminals was underscored earlier this month, when Colonial Pipeline temporarily shut down a main fuel artery to the East Coast following a ransomware attack, resulting in gasoline shortages across the southeastern U.S.

Related: Energy infrastructure may be more vulnerable to cyberattacks in next decade, warns Wells Fargo’s John LaForge

When it comes to the public sector, entities from states to school districts, recognize the threat, and most are responding by hiring cybersecurity professionals, developing incident response plans, or IRPs, and buying insurance policies, the report notes. Not surprisingly, the larger the entity — states versus cities, for example — and the more highly rated, the more prepared an entity is likely to be.

States were probably earlier to adopt such plans, and are now paying to maintain them, the analysts suggest, while local governments are probably only now in the process of developing programs, guidance, and teams. Moody’s does note that many municipalities participate in state or regional insurance pools which may include coverage for cybersecurity, as well.

Also see: Hackers targeted SolarWinds months earlier than previously known

For all the preparations currently in place, there are some considerations for the future. Among them: many cyber insurance policies have limitations. Only 42% of respondents to a Moody’s survey said their policies covered property damage, and only 54% said their policies covered new equipment. Both could be expensive for municipalities, the report points out.

Also, while local governments have been slower to adopt cloud technology than the private sector, usage is increasing. Storing data in the cloud can be a plus, since it allows governments to outsource some cyber risk management to third-party providers, which usually have stronger security and can handle updates more easily.

Read next: Washington wants to bring back Build America Bonds. The muni market isn’t buying it