Houston to buy $30M in cybersecurity insurance
Houston City Council on Wednesday unanimously agreed to spend $471,000 on cybersecurity insurance, becoming the latest Texas municipality trying to bolster its response to growing technological risks.
The insurance can cover up to $30 million in expenses related to security breaches in the city’s network, including crisis response, recovery of losses and answers to legal claims stemming from cyberattacks.
While some data breaches are preventable, the prevalence of cybersecurity threats against city governments nationwide prompted Houston to take steps to insure itself, said At-large Councilman David Robinson, chairman of council’s Transportation, Technology and Infrastructure committee.
“There are those things that are just beyond the reach or scope of expected due diligence and preparation,” Robinson said. “You need to be prepared for the unknown.”
In the event of a cyberattack, such as hacking or phishing, in which people pose as trustworthy sources to obtain money or information, the insurance coverage could pay for crisis management resources, computer forensics, credit monitoring and call center services.
After a security threat is detected, the new policy could cover any loss of income or expense from the interruption of computer systems, according to council background materials outlining the insurance. It could be used to pay the cost of restoring or recollecting data affected by a cyberattack, as well the cost of investigating threats. The insurance policy also can be used for liability claims made against the city for failing to protect data or prevent access to confidential information.
City governments are finding that cyberattacks are becoming more sophisticated and attempts to pinpoint scams has become more difficult, said Jeff Thompson, executive director of the Texas Municipal League.
“If you’ve got the passwords to (city) email accounts, you would have a treasure trove of information and could pretty quickly craft a sophisticated scamming scheme that looked legit,” Thompson said.
Harris County was subject to one of those scams just weeks after Hurricane Harvey last year, when the auditor’s office received an email from someone who claimed to be an accountant with a contractor working on repairs to a parking lot. The scammer asked for nearly $900,000 to be deposited in a new bank account. The county sent the money Oct. 12, but raced to get it back the next day after being alerted by the real contractor that it had not requested the change.
The county got its money back, but the incident sparked an FBI investigation, as well as concerns that the third-largest county in America was vulnerable to online schemes.
Small and large cities across Texas increasingly are realizing the need for insurance policies to mitigate financial woes after a breach, but Houston’s need for such insurance policies likely would be greater than that of smaller cities, Thompson said.
“They’re more likely to be a target than a very small city,” he said. “There’s obviously lots of money that flows in Houston.”
In Texas, the city of Dallas has about $10 million in cybersecurity insurance coverage, but the cities of Austin and San Antonio have no coverage at all, according to a report presented to council’s Transportation, Technology and Infrastructure committee on Aug. 13.
The insurance carriers will be Indian Harbor Insurance Company, Lloyd’s of London and Endurance American Insurance Company. The city’s premium for Sept. 1, 2018 to Aug. 31, 2019 will be $471,400, according to city documents.