David H SmithChicagodavid.smith@spglobal.com
Aamna ShahSan Franciscoaamna.shah@spglobal.com
Michael RyterChicagomichael.ryter@spglobal.com
Published March 14, 2024
High cyber insurance premiums and difficulties securing coverage are prompting local governments to form cyber risk pools, where they self-insure in a group administered by a third-party manager.
In addition to more affordable coverage, mutualization provides a forum in which similar entities can discuss cyber security risks and develop best practices.
Participation in risk pools, coupled with adherence to rigorous cyber security risk mitigation strategies, may reduce costs and could improve public sector entities' overall credit quality.
Escalating cyber security risks for U.S. public sector entities have increased the cost of protection. Skyrocketing premiums have, in particular, driven many public sector entities (especially smaller municipal governments) out of the market for cyber insurance.
Many local governments (LGs) have reacted by adopting an alternative to traditional private market insurance in the form of cyber risk pools. These consortiums of local governments not only offer lower-cost cyber risk insurance but also provide mutual support to public sector entities' cyber security efforts.
S&P Global Ratings views the proliferation of cyber risk pools as a positive development in public finance. That is particularly the case for entities priced out of the private insurance market and thus faced with exposure to significant uninsured cyber security risk. But it is also the case for the wider sector, where cyber risk pools have the potential to improve cyber risk management by facilitating knowledge sharing and best security practices.
In the 2000s and early 2010s cyber insurance coverage was often part of the umbrella coverage offered by general liability insurance. The escalating frequency of cyber attacks put an end to that practice by pushing cyber-related premiums higher, prompting tighter underwriting standards, and ultimately leading to stand-alone cyber insurance.
The increase in cyber threats is particularly pertinent to LGs because municipalities, counties, and utility districts often have less formalized cyber security measures and limited access to cyber security professionals, at least compared to many private sector organizations. In addition, LGs’ access to sensitive customer data makes them an attractive target.
As ransomware attacks have increased so have incidences of LG's key services being forced offline, including utility bill payment systems. The resulting losses have resulted in significant insurance payouts to public sector entities. At the same time the cost of cyber breaches has generally risen. In 2023, the global average cost of a cyber security data breach was $4.45 million, an all-time high according to IBM's Cost Of A Data Breach Report 2023.
Cyber risk pools are a viable alternative to third-party, for-profit insurance providers, and have the potential to reduce cybersecurity insurance costs for public sector entities.
Insurance companies have responded to the increased cost and frequency of attacks by restricting cyber insurance coverage, and in some cases refuse to offer insurance--including to public sector entities whose cyber risk is deemed too significant. Insurers that continue to offer cyber coverage to public sector entities have raised premiums (see chart), lowered coverage limits, and raised deductibles. LGs have experienced substantial premium increases (over 300% year-on-year, in some cases) that has prompted smaller public sector entities to forgo cyber insurance coverage.
Many insurers also demand greater disclosure from potential policyholders regarding their cyber security practices. In many cases, this takes the form of long questionnaires with highly technical cyber security questions. Smaller LGs often lack the expertise to complete these forms accurately, leading to denial of coverage.
Risk pools emerged as an alternative to traditional insurance in the 1970s and 1980s, when the cost of property and casualty insurance rose beyond the reach of many LGs. The name comes from the pooling of participants' money to create a fund that serves as a source of distributions for claims, which are managed by a third-party. Economies of scale mean the risk pool offer cost savings to participants, while their non-profit nature means their premiums are typically cheaper than those of traditional insurance.
Cyber risk pools are modeled on this structure and have enabled LGs with limited options to secure cyber insurance coverage. Insurance from cyber risk pools functions in a similar manner to traditional insurance policies: with annual premiums, coverage limits, business interruption and data recovery insurance, and a deductible to be paid in the event of an attack.
A third-party risk management provider oversees operations and the cyber risk pool is self-governed by a member board. The composition of most cyber risk pools aligns with the public sector entities’ geographic location and purpose. Thus, one of the current cyber risk pools provides coverage solely for New Jersey schools, for example.
In the event of a cyber attack, the affected participating entity can ask the third-party administrator for IT professionals to determine the extent of the attack and advise on or implement remedial measures, and for attorneys to resolve potential underlying claims arising from the breach. Some third-party administrators also offer a "breach coach" to assist members with solutions to deal with complex cyber attacks.
Cyber risk pools' narrow membership focus can enable them to provide solutions that are uniquely targeted to the needs of the groups they serve.
Beyond providing lower-cost cyber coverage to an underserved segment, cyber risk pools also foster collaboration between participant members, assisting in the development of cyber security best practices and standardized processes. For example, the pools typically maintain a checklist of cyber security best practices that members are expected to adhere to.
This can be particularly beneficial to smaller LGs, many of which lack the resources to employ expensive (and permanent) IT professionals that might usually put cyber security systems in place. Furthermore, risk pools also provide members with access to third-party IT consulting services, typically at a reduced cost. Other cyber risk mitigation initiatives provided by risk pools include policy templates, toolkits, incident response planning, and training exercises.
There are other potential benefits too. For example, cyber risk pools' narrow membership focus can enable them to provide solutions that are uniquely targeted to the needs of the groups they serve, such as Arizona's schools or Minnesota's cities (see table). And their pooled weight means they can often tap the private market (on behalf of participants) to secure options that would be unobtainable for a single public sector policyholder, such as excess coverage beyond standard policy limits.
Coverage structure
Other cyber/technology services provided
Organization background
League of Minnesota Cities (LMCIT)
Offers standalone first-party cyber insurance for members’ data security breaches (including response costs, expenses incurred from an attack, data restoration costs, and hardware replacement costs).Higher aggregate limits available for members who meet employee training, computer use, monthly data backup, and other requirements.Separate coverage plans address other cyber risks. For example, external parties’ claims resulting from a member’s data security breach are covered by LMCIT’s municipal liability insurance, while LMCIT's property insurance covers wire transfer fraud claims.
Loss control initiatives include incident response planning, wire fraud and financial scam prevention, and cyber attack prevention (ransomware, malware, etc.).Employs staff available to consult member cities on cyber policy creation, train municipal staff, and assist in technology procurement.
League of Minnesota Cities includes over 800 member municipalities, governed by a Board of Directors consisting of local officials.Created by the Minnesota State Legislature, but has been an independent, non-profit organization for 50 years.
Arizona School Risk Retention Trust
Offers insurance including for cyber liability, liability, property, commercial crime, auto physical damage, workers’ compensation.
Offers members a "cyber risk toolkit" including vulnerability scans, risk assessments, phishing defense campaigns, incident response planning, group multi-factor authentication (MFA) purchasing, IT policy templates, virtual consulting, and tabletop exercises.Aims to lower risk profile to meet stringent reinsurance requirements and make the pool more attractive to reinsurers.
Non-profit corporation with over 250 member public school districts and community colleges. Cyber coverage first offered in 2013, with the risk toolkit launched in 2015.
New Jersey--Municipal Excess Liability Joint Insurance Fund (MEL JIF)
Offers insurance against cyber risk, as defined by state law and the plan’s excess insurance policy.Members are classified as Basic, Upgraded, or Enhanced based on their security controls. Enhanced and upgraded members have lower deductibles and co-payments; incentivizing investment in and attention to cyber security.Cyber JIF purchases excess insurance, subject to local JIF and statewide claim limits.
Member JIFs must implement required cyber risk management program.All Cyber JIF members receive employee training, vulnerability management testing, security consulting, template policies and incident response plans, and access to online resources.Upgraded security requirements multifactor authentication (MFA), virtual private network (VPN), endpoint detection & response (EDR), and access privilege controls; “Enhanced” controls include penetration testing
Non-profit corporation founded to purchase excess property-casualty insurance for local JIFs.Cyber coverage modeled on The Municipal Excess Liability Environmental Risk Management Fund.Launched statewide Cyber JIF in January 2023 in response to the difficult cyber insurance market and limited local options. It had offered cyber liability as part of property damage coverage since 2013.
New Jersey--School Pool for Excess Liability Limits Joint Insurance Fund (SPELL JIF)(New Jersey Schools)
A group purchase program that covers cyber risk.Tier 1 members, which utilize required controls, have lower retention and coinsurance costs than Tier 2 members, which don't have the required controls. This incentivizes investment in cyber security.
Provides regular training, seminars, and tools to help members manage cyber risk, influence organizational culture, and reduce risk. Tier 1 districts must have perimeter firewalls, antivirus software or endpoint detection and response, multifactor authentication for privileged access, encrypted backups, an incident response plan, and a vetting policy for third party vendors.
A joint self-insurance fund owned and managed by four local JIFs, with participation from 96 school districts.Operates four JIFs with participation from 96 school districts.Originally founded for local JIFs to fund excess losses on a group basis, rather than purchasing excess insurance individually.Began group purchasing cyber liability Insurance in 2013.
Sources: Risk Program Administrators, League of Minnesota Cities, Arizona School Risk Retention Trust, MEL JIF, SPELL JIF.
Cyber risk pools are a viable alternative to third-party, for-profit insurance providers, and have the potential to reduce cybersecurity insurance costs for public sector entities. Yet that success is not guaranteed. For example, lax deployment of cyber security risk management protocols by some members could expose pools to elevated cyber risk, leading to more claims that necessitate higher premiums and undermine the cost savings that make the pools attractive.
Pooled weight means they can often tap the private market (on behalf of participants) to secure options that would be unobtainable for a single public sector policyholder, such as excess coverage beyond standard policy limits.
Beyond cost and accessibility considerations we also consider that risk pools offer public finance issuers--particularly smaller, less sophisticated local governments--opportunities to reduce cyber risk through collaboration and information sharing. Ideally, that would lead to a virtuous circle in which better cyber security hygiene reduces risk, leading to reduced claims, reduced costs, and improved credit quality for participating public sector entities.
In certain states, like New Jersey, it is already unusual for entities from some public sectors to obtain private insurance. The improvements promised by cyber risk pools, coupled with necessity created by cyber insurances' cost and limited accessibility, means we expect that will become more common.
This report does not constitute a rating action.
