Fitch Ratings-Austin/New York-18 November 2021: The growing pace and sophistication of cyberattacks on US public finance (PF) entities has led to rising costs of, and challenges in acquiring, robust cyber insurance coverage, Fitch Ratings says. Public entities are increasingly required to undergo stringent security audits and adherence to industry best practices in order to purchase cyber insurance. Cyber insurance may become increasingly unaffordable for PF entities with smaller budgets as premiums continue to climb and if insurer guidelines necessitate increased staffing and costs to update older systems and software.
Without the ability to adequately transfer risk, public entities could face greater financial and reputational risks from cyberattacks, which could have negative credit implications. According to a 2021 survey of local governments by the Public Technology Institute (PTI), 59% of municipal IT executives report that their cybersecurity budgets increased from the previous year, yet the majority also felt their cybersecurity budget is inadequate to support ongoing and evolving security initiatives.
The rise of high-profile ransomware incidents in the PF sector beginning in 2018 led PF entities to turn to cyber insurance as a means of risk transfer. With ransom demands generally in the five-digit range, affordable and easy-to-obtain cyber insurance helped reduce financial risk.
However, with soaring ransom demands and recovery costs, insurers have adjusted premiums and prerequisites. With some ransomware demands climbing to six and seven digits, PF entities are getting priced out of quality and comprehensive commercial cyber insurance policies. Cyber insurers paid out about 73% of premiums collected last year, a dramatic rise from about 34% in 2018. Premiums on cyber insurance continue to rise in the wake of the coronavirus pandemic.
Despite higher costs, more and more PF entities are acquiring cyber insurance. About 90% of respondents in PTI’s survey reported having cyber insurance, an increase from 78% the previous year, and 69% noted that their cyber insurance premiums increased since they were last renewed.
PF entities are also experiencing diminishing coverage limits, forcing some entities to purchase multiple policies to achieve the desired level of coverage. Reduced coverage may be more economical but it weakens the effectiveness of cyber insurance as a tool for risk transfer.
In addition to commercial insurance, state-level risk pools are important providers of cyber insurance for many smaller to mid-sized municipal issuers. The Association of Governmental Risk Pools (AGRiP) estimated at least 80% of all local public entities participate in one or more risk pools, which are typically established on a membership basis and oriented toward same-kind government groupings, such as school districts or counties. These pools, in which members agree to share the cost of risk, were established in the US in the 1970s and 1980s to reduce and stabilize general insurance costs when many commercial insurers did not serve the PF market. Public entity risk-sharing pools do not have to deliver profits and external regulation of pools varies from state to state and by type of risk.
Trends in insurance cost pressures may be lagged in risk pools compared with commercial insurance but will eventually drive increased member costs and/or expanded coverage at a higher price point. This direction is highlighted by the Texas Association of School Boards (TASB) Risk Management Fund. Privacy and information security coverage was initially offered to members in 2014 for protection against cybercrime but it was available only in conjunction with a member’s school liability coverage. This type of coverage subsequently expanded and larger members with more complex systems had the option to purchase higher coverage limits based on their organization’s needs starting in 2019-2020, with TASB staff evaluating each member to determine the additional cost for requested higher limits.
Contacts:
Omid Rahmani
Associate Director, US Public Finance
+1 512 215-3734
Fitch Ratings, Inc.
Terrace 1
2600 Via Fortuna, Suite 330
Austin, TX 78746
Rebecca Moses
Director, US Public Finance
+1 512 215-3739
Sarah Repucci
Senior Director, Fitch Wire
Credit Research & Risk Analytics
+1 212 908-0726
Media Relations: Sandro Scenga, New York, Tel: +1 212 908 0278, Email: [email protected]
The above article originally appeared as a post on the Fitch Wire credit market commentary page. The original article can be accessed at www.fitchratings.com. All opinions expressed are those of Fitch Ratings.