When Baltimore officials refused to pay the hackers that had locked them out of key parts of their network in a May ransomware, the resultant price tag was some $18 million in recovery costs and lost revenue. That was, at least partially, because the city was not covered by cyberinsurance.
In an apparent effort to make sure such a costly loss never happens again, the city's Board of Estimates approved Wednesday the purchase of two separate cyberliability insurance plans from the property and casualty insurance companies Chubb and AXA XL.
According to the board's agenda, the city's Office of Risk Management conducted a competitive selection process among 17 different carriers that resulted in contracts with the two companies. The city will spend a combined amount of $835,103 on the insurance: Chubb will provide $10 million in coverage, with a price tag of $500,103, while the city will spend $335,000 purchasing another $10 million from AXA XL. The insurance is effective as of the Board's approval.
Cyberinsurance — still a relatively experimental solution to an evolving problem — is being purchased by governments across the country as a backstop for the kind of incidents Baltimore suffered.
The purchase will secure a variety of coverage for the city. It includes cyberincident response coverage, which provides services, resources and personnel after a cyberincident; business interruption loss, which covers net profits that would have been earned were it not for an attack; and network extortion, which covers expenses necessary as the result of extortion attempts, potentially including ransom payments.
The city is also getting coverage for digital data recovery, contingent business interruption and extra expense loss, among others.
For a city beset by internal strife, even the approval of Wednesday's purchase apparently came with no lack of controversy. The board had previously been ready to approve the purchase at the end of August, but ultimately delayed approval due to the fact that City Council President Brandon M. Scott and Comptroller Joan Pratt had not been adequately briefed on the contracts, according to Baltimore Brew. The contracts subsequently went through a review by the city's law department.
The city also saw a string of controversies surrounding the attack, including significant criticism of the city's former IT director, Frank Johnson, who was chastised for lack of communication and organization during and after the incident and who had also failed to draw up an operational plan for such a scenario.
After taking leave in September, Johnson stepped down from his position at the beginning of October, leaving the day-to-day operations to his deputy, Todd A. Carter. A search for a permanent replacement for Johnson will be happening soon, according to the city.