This report does not constitute a rating action.
Key Takeaways
- High cyber insurance premiums and difficulties securing coverage are prompting local governments to form cyber risk pools, where they self-insure in a group administered by a third-party manager.
- In addition to more affordable coverage, mutualization provides a forum in which similar entities can discuss cyber security risks and develop best practices.
- Participation in risk pools, coupled with adherence to rigorous cyber security risk mitigation strategies, may reduce costs and could improve public sector entities' overall credit quality.
Escalating cyber security risks for U.S. public sector entities have increased the cost of protection. Skyrocketing premiums have, in particular, driven many public sector entities (especially smaller municipal governments) out of the market for cyber insurance.
Many local governments (LGs) have reacted by adopting an alternative to traditional private market insurance in the form of cyber risk pools. These consortiums of local governments not only offer lower-cost cyber risk insurance but also provide mutual support to public sector entities' cyber security efforts.
S&P Global Ratings views the proliferation of cyber risk pools as a positive development in public finance. That is particularly the case for entities priced out of the private insurance market and thus faced with exposure to significant uninsured cyber security risk. But it is also the case for the wider sector, where cyber risk pools have the potential to improve cyber risk management by facilitating knowledge sharing and best security practices.
Public Sector Entities Are Struggling To Maintain Cyber Risk Insurance Coverage
In the 2000s and early 2010s cyber insurance coverage was often part of the umbrella coverage offered by general liability insurance. The escalating frequency of cyber attacks put an end to that practice by pushing cyber-related premiums higher, prompting tighter underwriting standards, and ultimately leading to stand-alone cyber insurance.
The increase in cyber threats is particularly pertinent to LGs because municipalities, counties, and utility districts often have less formalized cyber security measures and limited access to cyber security professionals, at least compared to many private sector organizations. In addition, LGs' access to sensitive customer data makes them an attractive target.
As ransomware attacks have increased so have incidences of LG's key services being forced offline, including utility bill payment systems. The resulting losses have resulted in significant insurance payouts to public sector entities. At the same time the cost of cyber breaches has generally risen. In 2023, the global average cost of a cyber security data breach was $4.45 million, an all-time high according to IBM's Cost Of A Data Breach Report 2023.
Insurance companies have responded to the increased cost and frequency of attacks by restricting cyber insurance coverage, and in some cases refuse to offer insurance--including to public sector entities whose cyber risk is deemed too significant. Insurers that continue to offer cyber coverage to public sector entities have raised premiums (see chart), lowered coverage limits, and raised deductibles. LGs have experienced substantial premium increases (over 300% year-on-year, in some cases) that has prompted smaller public sector entities to forgo cyber insurance coverage.
Many insurers also demand greater disclosure from potential policyholders regarding their cyber security practices. In many cases, this takes the form of long questionnaires with highly technical cyber security questions. Smaller LGs often lack the expertise to complete these forms accurately, leading to denial of coverage.
Risk Pools Are A Cyber Insurance Alternative For Public Sector Entities
Risk pools emerged as an alternative to traditional insurance in the 1970s and 1980s, when the cost of property and casualty insurance rose beyond the reach of many LGs. The name comes from the pooling of participants' money to create a fund that serves as a source of distributions for claims, which are managed by a third-party. Economies of scale mean the risk pool offer cost savings to participants, while their non-profit nature means their premiums are typically cheaper than those of traditional insurance.
Cyber risk pools are modeled on this structure and have enabled LGs with limited options to secure cyber insurance coverage. Insurance from cyber risk pools functions in a similar manner to traditional insurance policies: with annual premiums, coverage limits, business interruption and data recovery insurance, and a deductible to be paid in the event of an attack.
A third-party risk management provider oversees operations and the cyber risk pool is self-governed by a member board. The composition of most cyber risk pools aligns with the public sector entities' geographic location and purpose. Thus, one of the current cyber risk pools provides coverage solely for New Jersey schools, for example.
In the event of a cyber attack, the affected participating entity can ask the third-party administrator for IT professionals to determine the extent of the attack and advise on or implement remedial measures, and for attorneys to resolve potential underlying claims arising from the breach. Some third-party administrators also offer a "breach coach" to assist members with solutions to deal with complex cyber attacks.
Cyber Risk Pools Offer Additional Benefits
Beyond providing lower-cost cyber coverage to an underserved segment, cyber risk pools also foster collaboration between participant members, assisting in the development of cyber security best practices and standardized processes. For example, the pools typically maintain a checklist of cyber security best practices that members are expected to adhere to.
This can be particularly beneficial to smaller LGs, many of which lack the resources to employ expensive (and permanent) IT professionals that might usually put cyber security systems in place. Furthermore, risk pools also provide members with access to third-party IT consulting services, typically at a reduced cost. Other cyber risk mitigation initiatives provided by risk pools include policy templates, toolkits, incident response planning, and training exercises.
There are other potential benefits too. For example, cyber risk pools' narrow membership focus can enable them to provide solutions that are uniquely targeted to the needs of the groups they serve, such as Arizona's schools or Minnesota's cities (see table). And their pooled weight means they can often tap the private market (on behalf of participants) to secure options that would be unobtainable for a single public sector policyholder, such as excess coverage beyond standard policy limits.
| Selected public sector risk pools | ||||||||
|---|---|---|---|---|---|---|---|---|
| Coverage structure | Other cyber/technology services provided | Organization background | ||||||
| League of Minnesota Cities (LMCIT) | Offers standalone first-party cyber insurance for members’ data security breaches (including response costs, expenses incurred from an attack, data restoration costs, and hardware replacement costs). Higher aggregate limits available for members who meet employee training, computer use, monthly data backup, and other requirements. Separate coverage plans address other cyber risks. For example, external parties’ claims resulting from a member’s data security breach are covered by LMCIT’s municipal liability insurance, while LMCIT's property insurance covers wire transfer fraud claims. | Loss control initiatives include incident response planning, wire fraud and financial scam prevention, and cyber attack prevention (ransomware, malware, etc.). Employs staff available to consult member cities on cyber policy creation, train municipal staff, and assist in technology procurement. | League of Minnesota Cities includes over 800 member municipalities, governed by a Board of Directors consisting of local officials. Created by the Minnesota State Legislature, but has been an independent, non-profit organization for 50 years. | |||||
| Arizona School Risk Retention Trust | Offers insurance including for cyber liability, liability, property, commercial crime, auto physical damage, workers’ compensation. | Offers members a "cyber risk toolkit" including vulnerability scans, risk assessments, phishing defense campaigns, incident response planning, group multi-factor authentication (MFA) purchasing, IT policy templates, virtual consulting, and tabletop exercises. Aims to lower risk profile to meet stringent reinsurance requirements and make the pool more attractive to reinsurers. | Non-profit corporation with over 250 member public school districts and community colleges. Cyber coverage first offered in 2013, with the risk toolkit launched in 2015. | |||||
| New Jersey--Municipal Excess Liability Joint Insurance Fund (MEL JIF) | Offers insurance against cyber risk, as defined by state law and the plan’s excess insurance policy. Members are classified as Basic, Upgraded, or Enhanced based on their security controls. Enhanced and upgraded members have lower deductibles and co-payments; incentivizing investment in and attention to cyber security. Cyber JIF purchases excess insurance, subject to local JIF and statewide claim limits. | Member JIFs must implement required cyber risk management program. All Cyber JIF members receive employee training, vulnerability management testing, security consulting, template policies and incident response plans, and access to online resources. Upgraded security requirements multifactor authentication (MFA), virtual private network (VPN), endpoint detection & response (EDR), and access privilege controls; “Enhanced” controls include penetration testing | Non-profit corporation founded to purchase excess property-casualty insurance for local JIFs. Cyber coverage modeled on The Municipal Excess Liability Environmental Risk Management Fund. Launched statewide Cyber JIF in January 2023 in response to the difficult cyber insurance market and limited local options. It had offered cyber liability as part of property damage coverage since 2013. | |||||
| New Jersey--School Pool for Excess Liability Limits Joint Insurance Fund (SPELL JIF) (New Jersey Schools) | A group purchase program that covers cyber risk. Tier 1 members, which utilize required controls, have lower retention and coinsurance costs than Tier 2 members, which don't have the required controls. This incentivizes investment in cyber security. | Provides regular training, seminars, and tools to help members manage cyber risk, influence organizational culture, and reduce risk. Tier 1 districts must have perimeter firewalls, antivirus software or endpoint detection and response, multifactor authentication for privileged access, encrypted backups, an incident response plan, and a vetting policy for third party vendors. | A joint self-insurance fund owned and managed by four local JIFs, with participation from 96 school districts. Operates four JIFs with participation from 96 school districts. Originally founded for local JIFs to fund excess losses on a group basis, rather than purchasing excess insurance individually. Began group purchasing cyber liability Insurance in 2013. | |||||
| Sources: Risk Program Administrators, League of Minnesota Cities, Arizona School Risk Retention Trust, MEL JIF, SPELL JIF | ||||||||
Cyber Risk Pools' Mutualism Is Both A Strength And A Weakness
Cyber risk pools are a viable alternative to third-party, for-profit insurance providers, and have the potential to reduce cybersecurity insurance costs for public sector entities. Yet that success is not guaranteed. For example, lax deployment of cyber security risk management protocols by some members could expose pools to elevated cyber risk, leading to more claims that necessitate higher premiums and undermine the cost savings that make the pools attractive.
Beyond cost and accessibility considerations we also consider that risk pools offer public finance issuers--particularly smaller, less sophisticated local governments--opportunities to reduce cyber risk through collaboration and information sharing. Ideally, that would lead to a virtuous circle in which better cyber security hygiene reduces risk, leading to reduced claims, reduced costs, and improved credit quality for participating public sector entities.
In certain states, like New Jersey, it is already unusual for entities from some public sectors to obtain private insurance. The improvements promised by cyber risk pools, coupled with necessity created by cyber insurances' cost and limited accessibility, means we expect that will become more common.
RELATED RESEARCH
Writer: Paul Whitfield
| Primary Credit Analysts: | David H Smith, Chicago + 1 (312) 233 7029; david.smith@spglobal.com |
| Aamna Shah, San Francisco + 1 (415) 371 5034; aamna.shah@spglobal.com | |
| Michael Ryter, Chicago +1 312 233 7016; michael.ryter@spglobal.com | |
| Secondary Contact: | Geoffrey E Buswick, Boston + 1 (617) 530 8311; geoffrey.buswick@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.