Product Family

It’s easy to see why Target was a target.  Home Depot too is a depot of valuable information and credit card numbers.  Even a health insurer like Anthem could have a wealth of personal information that could garner a good payout from someone. 

But why Dallas, Texas; Licking County, Ohio; and Terrasse-Vaudreuil, Quebec?  What might cities, towns and municipal agencies have to offer cyber criminals?  Plenty. ​As corporations have beefed up their cyber security awareness and networks, cyber criminals have set their sights on easier targets – our hometowns.  ​In Dallas recently, 150+ tornado sirens were hacked to cause their non-stop blaring for nearly two hours without any tornadoes in sight.  One morning in 2015, residents of Terrasse-Vaudreuil, a small town in Quebec, woke up to find their municipality’s official website displaying a terroristic message, hacked by a group claiming to be the Middle East Cyber Army. In Ohio earlier this year, Licking County's government offices were completely shut down by ransomware which obstructed access to the county’s computer network, phones – even shutting down its police force – until the county government paid a bitcoin ransom.​Even more recently, San Francisco's Municipal Transportation Agency fell victim to a similar ransomware attack inviting its light rail system, the Muni. The hackers reportedly demanded 100 Bitcoin, or roughly $70,000, to release Muni ticketing machines from their control or else face data encryption.  There was a temporary shutdown of machines and free rides for passengers before the Muni's systems were cleared of infection.

Easy Targets

Like most thieves, cyber criminals like to do their share of preying on easy targets.  And besides that, communities and public agencies have an abundance of information to snag.   Consider that municipal governments gather process and store a tremendous amount of personal data about their employees including social security numbers, bank account numbers for payroll direct deposits and retirement data, to name a few.   Then, there are residents’ tax records, criminal records, marriage licenses and, for some, credit cards on file to pay municipality-provided utility bills or property taxes.  And community services departments have their own stash of information.  Just consider that a local police car has a laptop that sends and receives data about drivers’ license status, insurance, arrest records, and other data.  Local public school systems as well as maintain data including teachers and other employees’ employment information as well as students’ addresses and social security numbers.  ​Such data, known as Personally Identifiable Information (PII), make municipalities, government agencies and other public entities potentially profitable targets for cyber criminals. Small governments and local agencies generate tons of sensitive information.  According to the National Conference of State Legislatures, 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving PII.  Individual Security breach laws typically have provisions regarding who must comply with the law including businesses and government entities.   ​Required notification can be costly.  According to the 2016 Cost of Data Breach Study, which is conducted by the Ponemon Institute and sponsored by IBM, the cost of breach resolution continues to rise.  The 2016 study shows the average total cost of the breach response and resolution has increased to $7.01 million from $6.53 million last year: A rise of 7% year over year.  According to the study, the average cost per compromised record at $221: A rise of 2% from last year’s figures or $4 per record.​Quick Cash


Hackers also see the immediate opportunity of a quick payout.  That’s why, by far, the biggest cyber exposure to municipalities is ransomware.  As described in the Licking County, Ohio and San Francisco incidents, cyber criminals release a malware into a system, often by some unsuspecting employee who clicks on an emailed link which releases the havoc.  Once the malware is releases and spreads to other parts of the system, files cannot be accessed, phones may go down, databases locked.  The hackers demand a ‘ransom’ often in cryptocurrency such as bitcoins.  It is not an astronomical amount, but enough, that they gain access to cash and the municipality yields to enable timely access to their systems.   (Read why paying ransom often does not make the problem go away.) ​Some cyber security experts believe that cyber criminals also see towns, smaller cities and other local agencies as a pathway to bigger opportunity.  Many local communities are connected to state and even federal agencies.  Hacking locally is just one step forward toward a bigger hacking opportunity.  ​

As corporations have beefed up their cyber security awareness and networks, cyber criminals have set their sights on easier targets – our hometowns.

Underfunded Defense


Over the last several years, major corporations have seen their share of cyber incidents and now, have whole cyber security teams using the latest technology to build a strong defense against future attacks.  Municipal governments, school systems and other public agencies   simply don’t have the necessary policies, procedures and personnel in place to create a cyber-secure environment.  In addition, they typically do not have the monetary resources to have one IT dedicated employee, much less a cyber security expert.  ​Despite lack of resources, many public entities are learning that their cyber risk can still be lessened.  One of the simplest and very effective cyber security defenses is a good security awareness training program.   Many local governments and agencies rely on anti-virus and firewall protections and focus very little on the educational need to prevent cyber-attacks.  ​

Employees are a public or private enterprise’s first line of protection. There are a variety of services, including low-cost training or educational videos aimed at improving workforce awareness – bringing employees up-to-speed on suspicious calls or emails aimed at staff, ‘phishing’ attempts that dig for personal information, and suspicious email attachments.  Education goes a long way in preventing breaches.  (Read about how other companies, including XL Catlin, educate their employees.​Many communities are also turning to outside cyber security experts.  Cyber security contractors provide various services including detailed security audits, business continuity planning, penetration testing – where the contractors themselves aim to get through a firewall to test its security – and simple end-user security awareness programs. 

In It Together

In addition to boosting their security efforts, many municipalities, school systems and public agencies are purchasing cyber insurance coverage.  While some larger cities and government agencies purchase standalone coverage, smaller communities are transferring some of their cyber risk as part of their pooled insurance programs or Joint Insurance Funds (“JIF”).  JIFs are public entities chartered that allow local communities to pool their risk management resources and share the cost of their  fire, liability, automobile, workers’ compensation insurance and now, also their cyber insurance. Today’s cyber insurance coverage, typically through its cyber-extortion component, is intended to address the costs associated with an incident such as a data breach or ransomware attack.  (Find out more about cyber coverage specifics.)

Final Thought

No community wants to welcome a cybercriminal.  They use deception and persistence to break into systems and steal data or extort valuable community funds. Just as many communities set up a Community Watch to prevent crimes in their neighborhoods, they have to boost their online diligence as well. Fortunately, they don’t have to do it alone.  Communities are pooling together to buy the right insurance protection and turning to a growing cyber security industry for expert advice to keep cyber criminals from crossing town lines, literally and virtually.   About the Author

Scott Schleicher is an underwriting manager in XL Catlin’s Cyber and Technology Insurance Business.  He can be reached via email at or via phone at 1-301-529-2148.


Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. In this respect, our property loss prevention publications, services, and surveys do not address life safety or third party liability issues. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. The provision of any service does not imply that every possible hazard has been identified at a facility or that no other hazards exist. AXA XL Risk Consulting does not assume, and shall have no liability for the control, correction, continuation or modification of any existing conditions or operations. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any document or other communication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with our services, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.