Insurer Warns Towns of Cyber Threats

COURT HOUSE – Cybersecurity is as much of a threat to municipal governments as it is to larger federal agencies and business organizations.  That was the message of a December 2017 letter from the Municipal Excess Liability (MEL) organization that stands behind the 19 New Jersey Joint Insurance Funds (JIFs). The JIFs provide coverage for about 65 percent of the state’s municipalities.
In Cape May County, the Atlantic County Municipal JIF insures all 16 municipalities from Ocean City to Cape May Point. The JIF is asking its members to place a renewed emphasis on cyber or technology risk. 
Reminding municipalities of their growing reliance on networks and computer-based services, the JIF has asked that governing bodies maintain security hardware and software systems, test those systems regularly and enact policies and procedures that govern technology use and the training of personnel.
The new Cyber Risk Management Program establishes a minimum set of technology standards and incentivizes municipalities with up to $7,500 reimbursement of a member’s $10,000 cyber incident deductible depending upon how far the municipality goes in meeting the standards.
The MEL has provided cyber insurance for its members since 2013. The growing sophistication of the cyber threats and the broadening of the types of organizations and agencies seeing cyber attacks are motivating a more formal response.
The Cyber Risk Management Program calls for achieving “minimum levels of technical and cybersecurity competency,” ensuring that “employees practice sound cyber hygiene,” and ensuring “that members have basic technology management support,” including “a basic plan to respond to a cybersecurity incident.”
All JIF members are covered for cyber insurance with a $10,000 per claim deductible.
The MEL plan establishes two levels of compliance with appropriate standards and offers tiered reimbursements for members who have met those standards.
Tier 1 compliance gains a member municipality a $5,000 reimbursement against the claim deductible. The tier 1 standards include system backup requirements, currency with applying patches to operating and application software, use of defensive software, annual training for system users, along with policies for technology management and incident response.
Tier 2 gains the member an additional $2,500 reimbursement. This tier includes a focus on control over access privileges, availability of appropriate technology support, password protection and encryption policies, and leadership expertise.
The MEL provides municipalities with models for plans and the use of best practices.
All of the documents and presentations related to the Cyber Security Management Plans candidly admit “There is no set of actions that will eliminate all technology risks.” 
To contact Vince Conti, email vconti@cmcherald.com.