Local cyber budgets growing but still inadequate, survey finds
With cyber insurance premiums also rising dramatically, half of municipal governments may be without adequate coverage, one expert says.
Most local governments have seen an increase in their cybersecurity budgets compared to the previous year, but funding levels are still inadequate to support their needs, according to a recent survey.
Seventy percent of respondents to the Public Technology Institute’s annual Local Government Cybersecurity Survey said they have seen a year-over-year jump in funding, but 63% said the funding they receive is not adequate to support their cybersecurity initiatives and deal with the threats that they face.
While there are federal funds available for state and local governments cybersecurity—and the promise of more soon—the evolution of threats and the defensive technology needed means governments must continually spend more. That is especially true when transitioning from on-prem servers to the cloud, which is funded as an ongoing operating expense rather than a one-time capital expenditure.
“[Governments] recognize that you need more [money], but I don't think people take into account a true risk assessment … of what would be the cost if something was exposed,” said Alan Shark, vice president for public sector and executive director of PTI. “We've learned that [cybersecurity] can be incredibly costly, and you're going to pay one way or the other.”
When it comes to cybersecurity insurance, the survey found that the majority—just over 80%—of localities have a governmentwide policy that covers employee behaviors, protects operations and procedures and pays for damages and other services when an attack occurs. However, many respondents said they have seen a dramatic rise in premiums over the past year.
Forty percent of IT executives said they have seen their premiums rise, and Shark said he has heard anecdotally from local government officials that the process for getting insurance has become more complex due to the increasingly frequent and complex threats states and cities face.
An 11-page application for cyber insurance has now ballooned to at least 27 pages in some cases, Shark said, because insurers have grown more aware of their own risk and the payouts they may need to make. Plus, the market for cyber insurance is growing less competitive as some companies have withdrawn their offerings.
“It's a very complicated market,” Shark said, “and I think it's going to leave only half the local governments in this country with adequate coverage.”
On a positive note, cybersecurity awareness appears to be growing among elected officials, as 61% of the survey’s respondents said their leaders are “somewhat engaged or familiar” with the sector, recognition Shark said results from the drumbeat of attacks that have hit governments of all sizes nationwide.
When it comes to sharing information, resources, education and training, 39% of local IT executives said the relationship is poor between their local government and the state. Shark said that disconnect is because governments “do not have a mechanism” for closer cooperation at this stage.
A key tenet of the upcoming federal cybersecurity grant funding—something Shark said is a “step in the right direction” but may prove difficult to implement—requires a closer relationship between state and local governments and more planning and coordination. Greater cooperation represents the beginning of a “whole of government effort” on cybersecurity, Shark said, and is reflective of an “interesting, interconnected age” between its various levels.