PUBLISHED BY THE PUBLIC RISK MANAGEMENT ASSOCIATION OCTOBER 2019
CAN CITIES SURVIVE THE LATEST
R ANSOMWARE ASSAULTS? PAGE 6
ALSO IN THIS ISSUE
BUILDING A CYBER RESILIENT LOCAL GOVERNMENT
PAGE 11
HOLD HARMLESS AGREEMENTS: A RISK MANAGEMENT STALWART REVISITED
PAGE 16
Every community has a story. We help protect it. Travelers has solutions designed specifically for public entities. Our public entity experts work with local communities to design insurance programs tailored to their unique challenges — from public safety to catastrophic weather to online breaches of sensitive data. We are dedicated to helping communities protect themselves from the unexpected, so that they can continue to tell their stories. To learn more, contact your independent agent or broker.
travelers.com Š 2019 The Travelers Indemnity Company. All rights reserved. Travelers and the Travelers Umbrella logo are registered trademarks of The Travelers Indemnity Company in the U.S. and other countries. CP-9453 New 4-19
OCTOBER 2019 | Volume 35, No. 9 | www.primacentral.org
CONTENTS
The Public Risk Management Association promotes effective risk management in the public interest as an essential component of public administration.
PRESIDENT Scott J. Kramer, MBA, ARM County Administrator Autauga County Commission Prattville, AL PAST PRESIDENT Jani J. Jennings, ARM Risk Manager City of Bellevue Bellevue, NE PRESIDENT-ELECT Sheri D. Swain Director, Enterprise Risk Management Maricopa County Community College Tempe, AZ DIRECTORS Forestine W. Carroll Manager of Risk Management Memphis Housing Authority Memphis, TN
6
Can Cities Survive the Latest Ransomware Assaults? By Pat Speer
Lori J. Gray, RMPE Risk Manager County of Prince William Woodbridge, VA JamiAnn N. Hannah, RMPE Risk Manager City of Gallatin Gallatin, TN Laurie T. Kemper Sr. Risk Management Consultant City/County Insurance Services Salem, OR Michael S. Payne, ARM, HEM Risk Manager City of Fresno Fresno, CA Melissa R. Steger, MBA, CRM Asst. Dir., WCI & Unemployment Ins. University of Texas System Austin, TX NON-VOTING DIRECTOR Jennifer Ackerman, CAE Chief Executive Officer Public Risk Management Association Alexandria, VA EDITOR Teal Griffey, MBA Manager of Marketing and Communications 703.253.1262 • tgriffey@primacentral.org ADVERTISING Teal Griffey, MBA 703.253.1262 • tgriffey@primacentral.org
11
Building a Cyber Resilient Local Government By Thom Rickert
IN EVERY ISSUE
16
Hold Harmless Agreements: A Risk Management Stalwart Revisited By Joe Jarret
Public Risk is published 10 times per year by the Public Risk Management Association, 700 S. Washington St., #218, Alexandria, VA 22314 tel: 703.528.7701 • fax: 703.739.0200 email: info@primacentral.org • Web site: www.primacentral.org Opinions and ideas expressed are not necessarily representative of the policies of PRIMA. Subscription rate: $140 per year. Back issue copies for members available for $7 each ($13 each for non-PRIMA members). All back issues are subject to availability. Apply to the editor for permission to reprint any part of the magazine. POSTMASTER: Send address changes to PRIMA, 700 S. Washington St., #218, Alexandria, VA 22314. Copyright 2019 Public Risk Management Association
| 4 NEWS BRIEFS | 19 ADVERTISER INDEX
OCTOBER 2019 | PUBLIC RISK
1
National Cyber Security Awareness Month
Own IT Secure IT Protect IT PRIMA’s 2019 Cyber Security Toolkit offers weekly education: WEEK 1
Social Media Safety
WEEK 2
Phishing Threat
WEEK 3
Safely Obtaining and Storing Data/Information from the Public
WEEK 4
eCommerce Risk: Protect Your Transactions
WEEK 5
Preparing for and Responding to a Cyber Attack LEARN WITH:
Podcasts Infographics
Videos White Papers
Quizzes Virtual Cyber Academy
MESSAGE FROM PRIMA PRESIDENT SCOTT J. KRAMER, MBA, ARM
ne of my biggest areas of responsibility over the last several years has been managing the healthcare and wellness program for my previous entity, the Montgomery County Commission (MCC) in Alabama. Managing healthcare has always been one of the more challenging tasks in my role, because the costs are difficult to control. However, it was worth doing because we recognized the positive impact that good wellness had on our employees and the county’s overall healthcare costs. Wellness wasn’t always a priority. When I first joined the Montgomery County Commission as the risk manager 16 years ago, wellness was a new concept in the healthcare industry. Wellness didn’t just focus on basic healthcare, but on preventative care. And the results would do more than just increase the overall physical and mental health of employees; it could save employers and policyholders more money in the long run. Unfortunately, in 2003, Alabama was deemed the most obese state in the nation with an adult obesity rate of 28.4%. As such, there was increased pressure to extend health services into wellness services, as well as opportunities for state grants to address the obesity issue specifically. As we began offering wellness programs, one such opportunity was a healthy steps challenge. The purpose was to have participants be more active than they were prior to starting the challenge. As participants met their personal weekly goals on a consistent basis they were rewarded with wellness gifts, for example, water bottles, sports towels, and gym bags. At the beginning of the program, we had about 730 employees, and I hoped to have 100 participate in this challenge. To my surprise, we had more than 400 join! I realized then that
“
If you’re interested in opening an on-site
“
O
Health and Wellness: A Different Kind of Security clinic or wellness center, but don’t know where to start, PRIMA has some great resources. our employees could be incentivized to change their behavior with wellness programs, and the incentives did not have to be large. At a PRIMA Annual Conference only a few years later, I attended a session that discussed the overall impact on healthcare dollars by starting an on-site wellness clinic. The presenter stated it was a way to truly reverse the trend of skyrocketing healthcare costs. The on-site clinic would be a health and wellness center, accessible to employees, which MMC would pay for directly. The on-site clinic would control rising healthcare costs by getting quality care to their employees quickly while promoting prevention services. In my mind, instituting an on-site wellness clinic was a considerable risk, and it took several months of contemplation before I decided to pursue the idea seriously. I knew there would be significant upfront costs in running an on-site clinic, but the overall positive impact could be even greater. During my research, I interviewed colleagues who had implemented on-site clinics and wellness centers within their respective entities to gain a better understanding of how the process worked. I also considered if the workplace culture at MCC would embrace an on-site clinic, but the success of other wellness programs gave me confidence. Finally, I created a review committee comprised of colleagues in various departments
and different roles. I presented the idea of installing on-site clinics and rolling it out to the employees with an incentive program for completing an annual health risk assessment. The committee overwhelmingly gave unanimous support for the program, and we moved forward with the on-site clinics. Today, it has proved to be one of the best investments the MCC has made in managing healthcare costs and providing better, and timelier, health and wellness services. If you’re interested in opening an on-site clinic or wellness center, but don’t know where to start, PRIMA has some great resources. City of Kingsport’s Risk Manager and 2016-2017 President of PRIMA, Terri Evans, is featured on a helpful PRIMA podcast called “What to Know When Establishing an On-Site Health Center.” Don’t forget; you can also ask a question in PRIMAtalk. If you haven’t considered on-site clinics yet, I urge you to consider if it would be right for your entity. Sincerely,
Scott J. Kramer, MBA, ARM PRIMA President 2019–2020 County Administrator Autauga County Commission Prattville, AL
OCTOBER 2019 | PUBLIC RISK
3
NEWS BRIEFS
NEWS Briefs
RASH OF RANSOMWARE CONTINUES WITH 13 NEW VICTIMS—MOST OF THEM SCHOOLS As investigations into a massive, coordinated ransomware attack against local governments in Texas continues, 13 new victims of ransomware attacks have been publicly identified. Most of them are school districts, thought the victims also include an Indiana county, a hospice in California, and a newspaper in Watertown, New York. In the case of this latest batch of attacks, Ryuk ransomware has been identified as the malware used on at least three occasions. As new attacks become public, it’s worth remembering the fallout from such attacks can add up quickly in terms of dollars and require a lengthy recovery period. The leadership of Baltimore City—hit by a ransomware attack in May—recently announced that $6 million of the money needed to cover the city’s more than $10 million ransomware cleanup operation would be pulled from funds earmarked for upkeep of city parks and public facilities. So far, the RobbinHood ransomware cost the city over $8 million in lost revenue and interest on deferred revenue. Baltimore is also now considering a contract for a $20 million “cyber liability” insurance plan. This brings the total known, publicly reported ransomware attacks this year alone to 149, 30 of which have involved educational institutions. School districts are a particularly easy target for ransomware operators because of their low budget for information technology and limited security resources. According to Armor’s data, schools have become the second-largest pool of ransomware victims—slightly behind local governments and closely followed by healthcare organizations. But these numbers only include publicly reported incidents. Just this week, for instance,
4
PUBLIC RISK | OCTOBER 2019
CNN reported Percsoft and Digital Dental Record, two companies that handle online services in the dental industry, told roughly 400 customers that the software they use to connect to individual offices had been infected with ransomware earlier in the week. Dental administrators told CNN they couldn’t access basic information such as patient charts, X-ray data, or payment services. Digital Dental provided a statement saying 100 of the affected practices had been restored this week. As this incident emphasizes, many ransomware attacks initially go unreported, particularly those against small and mid-sized companies who largely turn to insurers to help them pay off attackers quietly. That distinction may help explain why, in its 2018 Internet crime report, the FBI reported a total of 1,493 ransomware cases last year.
“Just like municipalities, which rely on critical systems to manage records and revenue in a community, school districts host data and systems critical to their community and its students,” said Chris Hinkley, head of Armor’s Threat Resistance Unit security team. “Thus, hackers know that schools cannot afford to shut down, that budgets are typically stretched thin, and that they often have few security protections in place, all aspects which make them a viable target.” Again, outside of Rockville, there is no word yet whether any of the other new public organizations targeted have cyber insurance or plans to pay ransoms. The payouts ransomware operators have recently received from similar targets—such as Rockville Center School District’s $88,000 payment, Riviera City, Florida’s $600,000 ransom and Lake City, Florida’s $500,000 ransom—“have signaled to the hackers that impacting entire communities can be very lucrative,” Hinkley noted.
THESE US CITIES RANK HIGHER FOR TECH SECURITY THAN PERSONAL SAFETY The U.S. is home to some of the most digitally secure cities in the world, yet it lags behind in other important safety measures, a new study has found. Chicago, Washington DC, Los Angeles, San Francisco, Dallas and New York are among the world’s savviest cities when it comes to implementing cybersecurity measures and raising citizens’ awareness of digital threats, according to the Economist Intelligence Unit’s (EIU) new report called “Safe Cities Index 2019.” Indeed, all six places score over 90% for digital security, positioning them among the top 10 most digitally secure cities in the world— alongside Tokyo, Singapore, Toronto and London—and well above the global average of 67.2%. The U.S. lags behind in other major safety metrics, however, the report notes. In fact, Washington DC is the only American city to make it into the top 10, when it comes to the report’s three other safety indicators: Health security; infrastructure security; and personal security. The U.S. capital places seventh globally for health security, and tenth for infrastructure security. Other major U.S. tech hubs, meanwhile, struggle to cut above the 15th place in the remaining categories. Los Angeles records the lowest rank among them, placing 32nd for personal safety. Health security pertains to environmental policies and access to health care, according to the report. Infrastructure security regards transport safety and disaster management, while personal security covers crime levels and police engagement. Though the U.S. displays some notable outliers, overall the report notes a general level of consistency across the four pillars, stating than investment in one area can have knock on effects for others. “Different types of safety are thoroughly intertwined…it is rare to find a city with very good results in one safety pillar and lagging in others,” notes Naka Kondo, senior editor of the EIU. Tokyo, Singapore and Osaka, for example, perform especially well across all four categories, each placing in the top 10 across at least three of the four. Top 10 safest cities: 1. Tokyo 2. Singapore 3. Osaka 4. Amsterdam 5. Sydney
6. Toronto 7. Washington DC 8. Copenhagen (joint) 8. Seoul (joint) 10. Melbourne
3 WAYS TO SHORE UP THIRD-PARTY RISK MANAGEMENT PROGRAMS It’s been more than 50 years since the first 911 emergency call was made in the United States. Since that time, 911 has contributed to dramatic improvements in public safety, but the role of 911 has remained largely unchanged. Now, the rapid evolution of technology—particularly in communications and safety-related applications—is disrupting their operation. Traditionally, emergency response centers, or public safety answering points (PSAPs), have been slow to keep up with technological improvements and changes in public expectations. For example, most response center systems don’t support smartphone technology, aren’t able to track mobile location, and can’t receive photos or videos from the field. Texting functions are all too frequently non-existent. Computer-aided dispatch (CAD) systems are often not integrated with emergency response communications, so dispatchers can’t speak with first responders through the same system. And very few systems are integrated with nearby agencies, making it incredibly difficult to deal with large-scale emergencies or natural disasters. Since public safety threats are always evolving, emergency response organizations need to adapt and change to stay ahead. As an industry, public safety is on the threshold of its most transformative era. There are new CAD systems that leverage IoT, enhanced mobile location, AI, and cloud technologies to help emergency response organizations align with the new realities of our increasingly connected world. However, even with the most advanced technologies available, they won’t be effective without knowledgeable teams to leverage their capabilities. Harvard professor and business and management thought leader John P. Kotter developed an award-winning eight-step process for leading change. It includes: create a sense of urgency; build a guiding coalition; form a strategic vision and initiatives; enlist a volunteer army; enable action by removing barriers; generate short-term wins; sustain acceleration; and institute change. While many organizations leverage Kotter’s approach, perhaps the biggest challenge for leaders is implementing the process on a consistent, continual basis. In embracing Kotter’s eight steps, it’s essential to build a coalition to drive change, including those who are on the front lines. The role of the professional dispatcher is critical to saving lives, and their talents shouldn’t be underestimated when working to improve results. Leaders need to work with their dispatch teams to keep them up to date on the latest technologies and techniques. For example, some dispatchers may view artificial intelligence (AI) as a threat to their role. However, AI benefits dispatchers through real-time assistance to help them be more effective in their role. While this is a time of extreme change, it is also a time of possibility for the public safety community and 911 professionals. New technologies and tools will support significant improvements in the ability to meet the public safety needs of today, and tomorrow. But, meeting these possibilities will require everyone involved—from the dispatcher to the director and many others—to leverage skills like leadership and change management to ensure our shared future is as bright as possible for everyone.
OCTOBER 2019 | PUBLIC RISK
5
CAN CITIES SURVIVE THE LATEST
R ANSOMWARE ASSAULTS?
PUBLIC ENTITIES AND MUNICIPALITIES MAY BE MORE VULNERABLE TO CYBERATTACKS, BUT CREATING A SAFE COMPUTING ENVIRONMENT IS POSSIBLE. BY PAT SPEER
6
PUBLIC RISK | OCTOBER 2019
I
T DOESN’T HAVE TO BE “CYBER MONTH” to recognize that the dark side of technology is currently infiltrating self-insured municipalities: ransomware attacks. Ransomware attacks occur when criminals break into an organization’s IT systems, encrypt as much data as possible, and then extort money (usually in Bitcoin) from the organization to get its own data back. If the ransom is not paid, the criminals may release it to the general public, or delete your data altogether. How does ransomware occur? Criminals make ransomware products and tools available on the “Dark Web” to other criminals and then receive a cut of the “take” if the victims pay the ransom. Both the ransomware purveyors and the attackers who use these products to infiltrate these systems usually operate from countries that the FBI can’t reach. Self-insured public entities such as municipalities are among groups that are particularly vulnerable because they: • Operate within a significant regulatory environment; • Have data that others could steal and monetize (personally identifiable information such as social security numbers, HIPAArelated information, credit card numbers, etc.; • Have data that is critical and necessary to conduct business. Actual risk includes more than just data housed on a server; it includes reputational/brand risk and the impact of losing trust from partners/ vendors and members/customers as a result of an attack. Obviously, the adage, “it won’t happen to us,” is no longer valid. In fact, there have been more than 170 ransomware attacks on U.S. state and local governments since November 2013, notes the technology security company Recorded Future. “Unfortunately, it happens again and again to municipal systems that don’t have all the latest software, the latest protections or the highest-paid IT staffs,” Lee McKnight, an associate professor at Syracuse University’s School of Information Studies and an expert on cybersecurity, told USA Today. Richard Mathis, CTO of CHSI Technologies, a Las Vegas provider of enterprise software to
public entities and smaller insurers, says it’s not all about the latest software or highest-paid IT staffers—it’s a bigger picture that includes a solid IT governance program comprising comprehensive compliance and quality assurance. “This type of risk management requires common-sense due diligence, a clear line of responsibility for technology systems, a secure cloud platform, a plan that holds all partners and vendors to the same security requirements, and should the worst possible case occur, an incident response plan.”
MORE COMMON THAN EVER Unfortunately, the worst possible case is becoming a common occurrence, and the way municipalities and public entities deal with incident response is reflective of lessons being learned along the way.
For example, in March 2018, the city of Atlanta had more than a third of its systems crippled by a ransomware attack. Recovery took more than a year, with costs estimated at $17 million. In May 2019, Baltimore officials, after refusing to pay an $80,000 ransom at the advice of law enforcement authorities, approved $10 million in emergency funding to recover from a similar attack that immobilized some of the city’s systems and services, according to reports. Even smaller cities such as Lake City, Florida are finding themselves under fire: city administrators recently paid hackers a ransom of 42 bitcoins, or roughly $426,000. In August, the computer systems in 22 towns in Texas were attacked, with data held hostage in a large-scale hack that was coordinated and launched by a “single-threat” actor. Hackers asked a collective ransom from all 22 towns and counties of $2.5 million paid in Bitcoin, NPR reported. In this case, hackers breached the city’s network using software that was used
by an IT company to remotely manage Keene’s infrastructure… software that was also used by the other municipalities, confirmed the mayor of Keene, Texas, one of the cities attacked. It’s unclear whether the cities affected had sufficient security measures or backups of their systems and data. Although Texas’ state systems were not part of the hack, the attack did initially impact normal city business and financial operations and services. What is clear is that not one of the cities agreed to pay the ransom. Instead, the Texas State Department of Information Resources (DIR), a government information portal providing technology advice to state authorities, deployed experts from more than ten government agencies and private sector partners to help cities recover, according to ZDNet.com. The DIR said that “more than 25% of impacted entities have transitioned from response and assessment to remediation and recovery, with a number of entities back to operations as usual.” It’s worth noting that the scale of these attacks has grown so large that it warranted coverage on a recent CBS “60 Minutes” episode. More than a quarter of cities and towns in the United States have fended off ransomware attacks, and 26 percent say they fend off an attack every hour, according to the “60 minutes” report.
AWARENESS AND ACCOUNTABILITY
The news out of Texas did not escape the attention of Keith Alberts, director of IT and marketing at Texas Political Subdivisions Joint Self-Insurance Fund (TPS), a Dallas-based self-insurance pool owned and operated by its members, local governments throughout the State of Texas. TPS provides a host of insurance products, including cyber insurance, to 146 public entity (schools, cities, counties, central appraisal districts, etc.) members. That said, TPS takes its risk management efforts very seriously, encrypting and housing member data offsite, and keeping a mirrored back-up of the data available should a cyber incident occur. “Our goal is to provide anytime, anywhere access to data that is safe and secure,” says
OCTOBER 2019 | PUBLIC RISK
7
CAN CITIES SURVIVE THE L ATEST RANSOMWARE ASSAULTS?
TPS’s school district members must build cybersecurity into their day-to-day operations, thanks to Texas Senate Bill 820 district cybersecurity law, which requires independent school districts to create a cybersecurity policy and designate a person responsible for it. Because TPS deals online with a managed care vendor as well as other business partners, the organization also restricts, based on user role, access to certain layers of data the organization’s portal, and encrypts data on all laptops. TPS recently engaged a company that tests users and networks against phishing threats, and provides training for all users. “We are concerned about phishing scams that lead to ransomware. We are doing things right,” says Alberts. CHSI’s Mathis notes that a big part of doing things right involves acknowledging that everyone who touches sensitive data is accountable. “Security is an end to end problem, and all humans make mistakes, so we put multiple barriers in place. When a human error occurs, that’s natural; but the alert is issued when several errors are made in a row.”
MONITORING AND CONTROLLING ACCESS
For public sector entities, it’s typical to have users from any number of internal and external sources involved in the access and manipulation of data. For example, NGU Risk Management, an insurance program administrator based in Hendersonville, Tenn. that serves the needs of 206 public entities, including local government, schools and utility districts, contracts with a variety of third parties for the processing of customer information. Providing customized risk management programs that include property, liability (cybersecurity) and specialty lines coverages, the organization relies on a host of third-party contractors to help service its members. Because 90% of members, agents, business partners, third-party appraisers, and other
8
PUBLIC RISK | OCTOBER 2019
stakeholders access the organization’s portal, NGU has made network security a strong priority. The company has issued an Acceptable Use Policy for all users, an incident response program, and recently engaged NetDiligence (ND), the preferred cyber risk management partner of Great American, the company NGU uses to write its cyber liability coverage. “We realize that public entities are a bit thin-stretched in security, and don’t have a specific line-item budget for security,” says Kyle Greenup, NGU’s VP of IT, “Because vulnerabilities are discovered so fast, it’s hard to keep up with, so our members count on us to create a safe computing environment for them to do business with us.” As an enterprise technology solution provider, CHSI recommends restricting access to data based on an IT whitelist provided by the customer. “Two-factor authentication is required, and the individual should only be able to access the data with a predefined IP address,” notes Mathis. “If access for remote employees is needed, they should have to access the data via a VPN. Also, all backups should be placed on a time-limited URL, so if an entity forgets to access updates, the data doesn’t just sit there waiting to be hacked.” CHSI Technologies recommends following ISO 20071 protocols, a specification for an information security management system that provides a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.
ADVICE WORTH HEEDING
To assess your relative risk to a ransomware attack, experts say public entities should consider their size, the number of cities and counties they represent or do business with, and the cybersecurity measures currently employed. “Assess your own risk tolerance—the potential damage to your organization that hackers could inflict,” says TPS’s Alberts, “then assess the cybersecurity countermeasures you currently have in place.” Protecting your organization from a ransomware attack does not necessarily require
“
This type of risk management requires common-sense due diligence, a clear line of responsibility for technology systems, a secure cloud platform, a plan that holds all partners and vendors to the same security requirements, and should the worst possible case occur, an incident response system.
“
Alberts. TPS has a formal security program that includes a 15-page security and privacy policy, which all employees must sign. “We don’t have a budget line item for security, but it’s built in to every functional business area,” Alberts says, “and our customers, for the most part, are following suit.”
Richard Mathis, CHSI Technologies
expensive next-generation firewalls, intrusion prevention systems or “security as a service” systems, notes Mathis. “What’s really required is attention to restriction: Designate the least number of people with access to the data, and those who do have access should have a minimal amount of privileges. This puts an extra burden on administration, but it’s worth it, i.e., it’s more difficult to ask for permission, but doing so will keep them out of the news, and their public entity safe.” With experts predicting 50 billion devices connected to the internet by 2020, ransomware attacks will only increase, say experts. “By creating a culture of alert self-monitoring, a plan that makes employee safety training and security safeguards a priority, and a strategy that involves all stakeholders, including technology solution providers, the chances of being vulnerable to a ransomware attack diminish,” notes Mathis. Pat Speer is an award-winning business journalist and principal of Speer Content Strategy & Development LLC.
Protect your evolving community What will your community look like in five years? The future may be uncertain, but your risk solutions shouldn’t be. #CommunityMR | munichreamerica.com/alternativemarket Munich Re Specialty Insurance (MRSI) is a description for the insurance business operations of affiliated companies in the Munich Re (Group) that share a common directive to offer and deliver specialty property and casualty insurance products and services in North America.
Munich Re Specialty Insurance
Register for PRIMA’s
OCTOBER WEBINAR FREE TO MEMBERS Integrating ERM with the Strategic Planning Process OCTOBER 16 | 12:00 – 1:30 PM EST Speaker: Tim Wiseman, MBA, ARM-E, Assistant Vice Chancellor for Enterprise Risk Management, East Carolina University Attendee Takeaways: • Better understanding of sources of strategic direction and planning guidance for public entities • Tactics for making the case to include modern ERM concepts in strategy setting • Understanding of the typical challenges in merging risk considerations into strategic decision-making
UPCOMING 2019 WEBINARS NOVEMBER 20TH Improving Safety in Government by Changing Driving Behavior
DECEMBER 11TH What Your Attorney REALLY Wants from Risk Management
Speakers: Chris Kittleson, ARM, Director of Loss Control Technical Services, Public Risk Underwriters of Florida, Inc.
Speaker: J. Michael Billingsley, JD, City Attorney, City of Kingsport, TN
Mike Scrudato, CPCU, ARe, Senior Vice President, Munich Re
Register at primacentral.org
BUILDING A
CYBER RESILIENT LOCAL GOVERNMENT Ways local governments can prepare for, withstand and recover from ransomware and other cyberattacks.
W
BY THOM RICKERT
HAT DO ATLANTA, BALTIMORE, LAKE CITY, FLA., AND MORE THAN TWO DOZEN SMALL CITIES AND TOWNS ACROSS TEXAS HAVE IN COMMON? The local government of each of these cities recently was the target of ransomware attacks—that is, malware attacks that prevent end-users from accessing a city’s systems and data unless the city pays ransom to hackers. The attack in Baltimore crippled the city’s networks, knocking several essential city services, such as closing home sales and issuing permits, offline. Yet, the city opted not to pay the ransom and instead has incurred costs approaching $18 million for attackrelated remediation and new hardware and in lost or deferred revenue. In the case of Lake City, the government there paid a six-figure ransom to restore its phone lines, email and online utility payments.
OCTOBER 2019 | PUBLIC RISK
11
BUILDING A CYBER RESILIENT LOCAL GOVERNMENT
The surge in targeting local government systems can be attributed to the fact that these entities are becoming more tech-oriented. To varying degrees, cities and towns are adopting a smart-city mindset, connecting municipal infrastructure to the internet and offering more online services to citizens. So, as cities are becoming more sophisticated, hackers are, too—and they are usually two steps ahead.
Cities and towns all receive similar advice from the U.S. government and law enforcement: Do not pay a ransom. From the perspective of local government officials, however, it’s not a cut-and-dried decision. That’s why officials find themselves in the unenviable position of mitigating the overall financial impact of an attack. In other words, does it cost less to pay the ransom or to replace servers and data? According to the Beazley Group, the median ransomware demand in 2018 was $10,310, paid in cryptocurrencies like bitcoin. Other costs are harder to quantify, but according to Coveware, downtime resulting from ransomware attacks increased from an average of 7.3 days in Q1 of 2019 to 9.6 days in Q2 of 2019.
UNDERSTANDING CYBER HACKERS’ MIXED MOTIVATIONS
Although ransomware attacks are on the rise, other cybercriminals are simply looking to steal and sell a city’s data. Unlike the “hitand-run” nature of ransomware attacks that are motivated by money, “hacktivists” seek to remain in the background, gathering as much information as possible over a long period of time. Their payoff comes in the form of disrupted services and the effect on the local government’s reputation. The surge in targeting local government systems can be attributed to the fact that these entities are becoming more tech-oriented. To varying degrees, cities and towns are adopting
12
PUBLIC RISK | OCTOBER 2019
a smart-city mindset, connecting municipal infrastructure to the internet and offering more online services to citizens. So, as cities are becoming more sophisticated, hackers are, too—and they are usually two steps ahead. Another driver of these attacks is the technology landscape in most local governments. Due mainly to tight budgets and procurement processes, technology refresh cycles are years too long. In today’s environment, a three- to five-year refresh of software, PCs, servers, and security measures can create a lengthy and costly list of vulnerabilities.
•
•
HOW TO WITHSTAND— AND RECOVER FROM— CYBERATTACKS
Even though the scale, methods, and motivation of cyberattacks will evolve, there are meaningful near- and long-term actions municipalities can take today to adapt to changing conditions and to prepare for, withstand and rapidly recover from an adverse event. • Take a reality check. To build a resilient local government, city officials’ first step must be to adopt a mindset of when an attack will occur, not if. That mindset must be owned, governed, and promoted at the highest level and shared across every department and with every internal stakeholder. As with any other risk, preparing for a potential cyberattack begins with identifying vulnerabilities. Among the first tasks: Identify all systems and how they interconnect, assess the
•
•
strength of your current IT security, and determine your staff’s cyber awareness. Prepare your plan. It’s standard practice for cities and towns to have defined emergency response plans in place for unexpected events such as natural disasters or criminal activity. Now, local governments need to develop a similar comprehensive strategy for cyberattacks and how they will respond if faced with a ransomware demand. Along the way, be sure to build cyber resilience into future projects and strategic planning. Assess cyber maturity. This step will help pinpoint where you stand today. Are you using the latest security protocols? Begin by using free resources available from federal agencies, peers, and cyber liability insurers. Then, prioritize which legacy hardware systems and software applications can be replaced or upgraded immediately. Look beyond PCs. Not all ransomware attacks target a town’s financial system. In fact, most don’t. Instead, cybercriminals focus on fire or police department networks, libraries or parks and recreation departments, as these often link to targets’ financial systems, where personally identifiable information (PII)—which is easily monetized—is stored. As municipal infrastructures become more interconnected, a vulnerability could just as easily be a smart lighting system as an outdated desktop operating system. Build durable systems. Many of the steps cities and towns can take to withstand and recover from a cyberattack will also
provide value every day. Cloud backups of data files and sturdy, redundant systems can also protect from events that are more common, such as power outages and system upgrades. And, when you’re conducting routine maintenance, a resilient system can bounce back quickly when its defenses or sensors fail. • Maintain ongoing training and awareness. Don’t underestimate the value of consistent training and reminders about data security for staff members. Actually, it’s one of the first places to start. People are the weakest link in the security chain, jeopardizing an entire network by using weak passwords or clicking on malicious links. Training can’t be a one-and-done activity. Annual cybersecurity training reduces vulnerabilities, but monthly training or cybersecurity communications can significantly increase effectiveness rates. Having a robust, frequent cybersecurity awareness program for all personnel is an essential part of your overall cyber risk management.
LOWER THE ODDS OF AN ATTACK
As ransomware events become more prevalent and more costly, cybercriminals see new opportunities in aging local government networks that use ineffective security measures. Although it’s sobering to view ransomware and other cyberattacks as inevitable, the good news is that local governments can take concrete steps today to prepare and build resilience. By locating gaps; assessing current security measures; and preparing staff with frequent, consistent training, cities, and towns can minimize the risks and continue building a strong defense around critical systems and infrastructure.
By locating gaps; assessing
current security measures; and preparing staff with frequent,
consistent training, cities, and towns can minimize the risks and continue building a strong defense around
critical systems and infrastructure.
Implementing safeguards might not fully protect against unforeseen cybercrime tools and tactics, but these measures will, at minimum, tighten your local government’s cybersecurity and help to keep your city or town off the list of successful cyberattacks. Thom Rickert, CPCU, ARM, ARM P, ARM E, ARC, ARe, is the vice president, Head of Marketing for Trident Public Risk Solutions.
OCTOBER 2019 | PUBLIC RISK
13
PRIMA PODCASTS PRIMA Podcasts are a convenient and quick way to learn about hot topics in the public risk management sector.
Listen at primacentral.org Also available on
BIG IDEAS. SMALL SETTING. PRIMA INSTITUTE The Industry’s Premier Risk Management Educational Program
October 21–25, 2019 • San Diego, CA PRIMA INSTITUTE 2019 (PI 19) is an innovative educational symposium comprised of fundamental risk management curriculum, outstanding faculty, and excellent networking opportunities. PI 19 is aimed at new and seasoned risk management professionals who want to learn more about emerging trends and best practices.
Registration Now Open: institute.primacentral.org
HOLD HARMLESS AGREEMENTS A Risk Management Stalwart Revisited
BY JOE JARRET
16
PUBLIC RISK | OCTOBER 2019
D
URING MY PUBLIC SECTOR CAREER, I have been afforded the opportunity to serve as both a risk manager and
attorney. Recently, I was attending a continuing legal education conference when I overheard a group of plaintiffs’ attorneys discussing the demise of hold harmless agreements. They predicted the demise of this stalwart risk
transfer device on a 2019 ruling of the Supreme Court of Kentucky (Miller v. House of Boom Kentucky, LLC), which
held that liability waivers signed by parents on behalf of their minor children are unenforceable when the party seeking
the waiver is a for-profit business. I believe that my learned colleagues were a bit optimistic where public entity liability is concerned. The facts of the case in question are these:
In August 2015, Kathy Miller took her minor daughter, and her daughter’s friends to play at House of Boom, a for-profit trampoline park located in Louisville, Kentucky, that offers a collection of trampoline and acrobatic stunt attractions. Prior to the children being allowed to participate, Miller was required to agree to an extensive release and waiver of any claims providing that she, her spouse, her minor children, or wards may have or that may arise as a result of participating in any of the activities offered by House of Boom. While playing at House of Boom, Miller’s daughter sustained a fractured ankle when another child jumped off a three-foot ledge and landed on her ankle. Miller filed suit on behalf of her daughter against House of Boom for damages related to her injury. Based on the release and waiver of claims, House of Boom asked the United States District Court for the Western District of Kentucky for judgment in its favor. Due to the novelty of this issue in Kentucky law, the federal court sought guidance from the Supreme Court of Kentucky, and requested the Supreme Court answer the following question:
Is a pre-liability waiver signed by a parent on behalf of a minor child enforceable under Kentucky law? The court’s brief response to the above question was, “no.” However, the court did go on to rule that, although parents have the right “to raise their child, choose the child’s educational path, and make healthcare decisions on the child’s behalf,” these rights have “never abrogated the traditional common law view that parents have no authority to enter into contracts on behalf of their child when dealing with a child’s property rights, prior to being appointed guardian by a district court.” Despite this ruling, however, it is crucial to note that the Supreme Court held that pre-injury liability waivers signed by a parent on behalf of a minor are unenforceable when the waiver is signed in favor of a commercial, for-profit entity. The Court was cautious to expressly narrow its holding to waivers executed in favor of for-profit commercial entities, and in so doing, drew a marked distinction between waivers in the commercial context and public/ not-for-profit context. The court specifically opined that, “the question of whether public
OCTOBER 2019 | PUBLIC RISK
17
HOLD HARMLESS AGREEMENTS: A RISK MANAGEMENT STALWART REVISITED
policy exists to require enforcement of parentsigned, pre-injury waivers in a non-commercial context is not before this Court today, and thus we make no determination on the issue.”
HOLD HARMLESS AGREEMENTS: THE BASICS
For the newer members of our profession, a hold harmless agreement is a risk management staple designed to transfer risk to a third party. The hold harmless clause in a legal contract absolves one or both parties to the contract of legal liability for any injuries or damages suffered by the parties to the contract. Risk managers generally insist upon
scrutiny by the courts. There have traditionally been two conflicting views when it comes to the legality and viability of hold harmless agreements. One aspect is that hold harmless agreements are looked upon with suspicion by the courts, and as such, are not worth the paper they are written on. The other view is that hold harmless agreements offer public entities complete protection from all liability regardless of the circumstances. As any savvy risk manager will tell you, both schools of thought lack merit. In today’s litigious society, courts are more closely scrutinizing the exculpatory language contained in the
In most states, a well-drafted, properly administered waiver, voluntarily and knowingly signed by an authorized representative of the entity with which the government is doing business, can protect the government from liability for injuries resulting from ordinary negligence. adding a hold harmless agreement to a contract when the service being retained involves risks that the government does not or legally cannot, be held responsible for legally or financially. It is important to note that hold harmless agreements come in three broad categories: ➊ Broad form hold harmless agreements will cover every activity referenced in the agreement and requires the indemnitor to assume all liability of the indemnitee, even if the indemnitee is negligent; ➋ Intermediate form indemnity, where your entity can be held harmless for everything related to the activity or project except for problems or injuries that your entity alone caused; and ➌ Limited hold harmless, where the Indemnitor only assumes responsibility for its own negligence.
HOLD HARMLESS AND THE COURTS
As a result of the House of Boom decision, hold harmless agreements are facing renewed
18
PUBLIC RISK | OCTOBER 2019
hold harmless agreements. As such, they are increasingly requiring that the agreement be strictly construed against the party relying on it, while insisting that the exculpatory clause be drafted in such a way that it particularly and clearly describes the liability to be limited. That is not to say, however, that courts are not willing to void, as a matter of public policy, hold harmless agreements that are vague, overly broad, or inartfully drafted. Further, most states have either passed legislation or have had court decisions handed down rendering hold harmless agreements unenforceable in cases of gross negligence or official misconduct on the part of a public entity. Finally, many states preclude governmental entities from defending or paying settlements or judgments on behalf of any parties other than public entities and employees. Such states prohibit public entities from entering into agreements that serve to indemnify a private third party or pay any settlement or judgment on behalf of a third party.
DRAFTING THE HOLD HARMLESS AGREEMENT
Public risk managers can continue to rely upon hold harmless agreements by ensuring they are drafted in such a way as not to be overly broad, generic, all-inclusive, or vague. Courts today distinguish between the terms “indemnify” and “hold harmless.” Whereas a hold harmless agreement is generally understood to be designed to protect the public entity against the risk of loss as well as actual loss, the term indemnify is often interpreted to mean that the beneficiary of the agreement can only be expected to be reimbursed for any damage it suffers. The distinction between indemnity clauses and hold harmless clauses varies from state to state, although it is a generally accepted business practice that hold harmless clauses contain indemnity language designed to “defend, and hold harmless” a party “from any and all claims, damages, losses, and expenses, including, but not limited to, attorney’s fees, arising out of or resulting from negligence or misconduct in relation to the work defined in this contract.” In most states, a well-drafted, properly administered waiver, voluntarily and knowingly signed by an authorized representative of the entity with which the government is doing business, can protect the government from liability for injuries resulting from ordinary negligence. Conversely, rare is the court that will uphold a poorly written, vague agreement, or one that seeks to protect the government against liability for gross negligence, reckless conduct, willful/wanton conduct, or intentional acts.
THE FUTURE OF HOLD HARMLESS AGREEMENTS
When it comes to the future viability of hold harmless agreements, the devil is in the details. Risk managers should keep abreast of legislation and court decisions that address these valuable risk transfer devices, and likewise avoid using “one size fits all” agreements that a court could construe as vague, overboard, or voidable by operation of law. Joe Jarret is an attorney, former risk manager and past-president of the Southwest Florida Chapter of PRIMA and PRIMA’s 2016 Author of the Year.
ADVERTISER INDEX
ADVERTISER INDEX Munich Reinsurance America. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . page 9 Travelers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inside Front Cover HAS YOUR ENTITY LAUNCHED A SUCCESSFUL PROGRAM? An innovative solution to a common problem? A money-saving idea that kept a program under-budget? Each month, Public Risk features articles from practitioners like you. Share your successes with your colleagues by writing for Public Risk magazine! For more information, or to submit an article, contact Teal Griffey at tgriffey@primacentral.org or 703.253.1262.
FIND US ON LINKEDIN!
CALENDAR OF EVENTS PRIMA’s calendar of events is current at time of publication. For the most up-to-date schedule, visit www.primacentral.org.
PRIMA ANNUAL CONFERENCES June 14–17, 2020 PRIMA 2020 Annual Conference Nashville, TN Gaylord Opryland June 13–16, 2021 PRIMA 2021 Annual Conference Milwaukee, WI Wisconsin Center June 5–8, 2022 PRIMA 2022 Annual Conference San Antonio, Texas Henry B. Gonzalez Convention Center
PRIMA INSTITUTE October 21–25, 2019 San Diego, CA
ERM TRAINING November 13–14, 2019 New Orleans, LA
PRIMA WEBINARS October 16 Integrating ERM with the Strategic Planning Process November 20 Improving Safety in Government by Changing Driving Behavior
Receive daily updates on what’s new at PRIMA and in the public risk management industry!
December 11 What Your Attorney REALLY Wants from Risk Management
VISIT US AT www.linkedin.com/company/prima-central OCTOBER 2019 | PUBLIC RISK
19
YOU COULD BE HERE
Public Risk Management Association
Career Center Upload resume Receive FREE resume writing help Search jobs Find your new career at primacentral-jobs.careerwebsite.com
You Know Risk Management is Valuable. Why Doesn’t Everyone? Check out PRIMA’S
VALUE OF RISK MANAGEMENT SERIES Public sector risk management is often not well understood or supported by other public entity staff and policy makers. To overcome this, we must be able to measure the value of risk management and communicate it to others This five webinar series provides you with the tools to do exactly that. TOPICS INCLUDE: Module 1 — Overview Module 2 — Total Cost of Risk Module 3 — Risk Maturity Models Module 4 — The Risk Appetite and Risk Tolerance Framework Module 5 — Strategies for Communication and Change Management In addition to the webinars, PRIMA members will also have access to reference guides and case studies.
For more information, visit primacentral.org/vrms.
ENTERPRI
E
R M
EMENT AG
SK MAN I R E S
Evaluate Educate Elevate Create an Organizational Culture that Proactively Manages Risk ATTEND PRIMA’S 2019 ENTERPRISE RISK MANAGEMENT TRAINING!
NEXT TRAINING November 13–14, 2019 Hyatt Regency New Orleans
Visit primacentral.org/ermtraining to register today!