As costs from this spring’s ransomware attack on Baltimore continue to come due, city officials will buy $20 million in cyber liability insurance to cover any additional disruptions to city networks over the next year.
The city’s Board of Estimates approved a pair of coverage plans Wednesday, the result of a competitive bidding process involving 17 carriers.
The first plan, for $10 million in liability coverage from Chubb Insurance, will cost $500,103 in premiums. The second, for $10 million in excess coverage, will be provided by AXA XL Insurance for $335,000.
The plans have a $1 million deductible, officials said. It is the first cyber insurance ever purchased by the city.
The term of the coverage is one year, though Lester Davis, a spokesman for Democratic Mayor Bernard C. “Jack” Young, said the expectation is the city will maintain cyber insurance in future years, as well.
“The city is going to reassess every year,” Davis said. "They will have to go through this process again when the terms are nearing maturity.”
In the May attack, hackers gained access to city systems, encrypted files using ransomware and then demanded payment for the decryption keys, which Young refused to pay. The attack crippled many systems, disrupting employees’ email service, halting water billing and suspending real estate transactions.
City officials previously said that the attack would cost more than $18 million, although much of that was in estimated lost productivity and delayed billing, some of which has been clawed back with the recovery of systems, such as the water billing system.
In addition to business interruption costs, the insurance package will cover digital data recovery, “network extortion" and a team to investigate attacks, officials said.
The board previously approved a $10 million supplemental budget for costs associated with the attack.
The board also approved a slate of payments Wednesday — more than $3.7 million in all — for contractors who were called into Baltimore after the attack to help the get city systems back on their feet. That funding will be drawn from the previously approved supplemental budget.
The largest payment would be $1.3 million for “enhanced detection and remediation services," which will continue through the end of the year, from Mandiant FireEye, a California-based cybersecurity firm. Another $816,613 will go to Seculore of Odenton for network monitoring; $771,708 to Crypsis of McLean, Virginia, for forensic services; $384,588 to California-based Dyntek to rebuild Microsoft products; $311,261 to the Washington law firm Clark Hill for response plan assistance; $150,000 to the multinational consulting firm Deloitte for evaluation services; and $43,200 to Dysis Solutions of Ashburn, Virginia, for a network engineer.
In addition, the board approved an additional $300,000 for Crypsis to continue working for another 130 calendar days. That noncompetitive procurement was justified by the fact that the company has experience with the system it is working on that no competitor would have, officials said.
The company, which began working with the city in May, “gained a unique set of experience in working with us in terms of understanding our policies and procedures, so they are in a unique position to help us through revising them or adding new ones,” said Todd Carter, acting chief information officer in the city IT department. "If we were to bring someone else on to do that work, it would cause probably a couple months delay.”
Sheryl Goldstein, Young’s deputy of operations, said the new contract represents a step forward for the city in its response to the spring ransomware attack.
“We’re now in the next phase of building a better and stronger and more protected network,” Goldstein said.
Davis said that work is expected to continue over the next 12 to 18 months.
Still, Goldstein did not rule out the risk of another attack.
“There are no guarantees, right? This happens to governments local and abroad. It happens to businesses that are incredibly well resourced,” she said. “The hackers get more and more sophisticated. We’re doing everything we can to work really hard to secure the network.”
Young said he didn’t know if having insurance would make him more likely to pay hackers in the event of another attack.
“I would talk to my team and decide that way,” he said.