Four months after Baltimore’s government was paralyzed by a ransomware attack, the city has decided to buy cyber insurance.

UPDATE: The board this morning deferred action on the insurance measure until its September 11 meeting.

No reason was publicly given for the delay by Mayor Bernard C. “Jack” Young or other board members.

This afternoon, the mayor’s spokesman downplayed the delay. “We just want to made sure the other members of board know the terms and all that good stuff,” said Lester Davis, who said “no objections at all” had come from either City Council President Brandon M. Scott or Comptroller Joan Pratt.

“This is an important expenditure, and we want to go above and beyond to make sure they know all the particulars about the insurance” before the vote, Davis said.

The Board of Estimates was set to approve the purchase of $20 million worth of liability coverage from the Chubb and AXA insurance companies at a cost of $835,000.

So far, the cyberattack has cost Baltimore government an estimated $10 million.

Expenses have included the hiring of scores of consultants to restore the afflicted systems and the purchase of software and equipment to “harden the environment” against future attacks.

The insurance policies will cover the costs of future cyber incident responses by the city, the business interruption loss from future attacks, digital data recovery, third-party coverage for cyber privacy, payment card losses, regulatory costs and “social and printed media liability,” according to BOE records.

Previous Attack

The cyberattack was one of the most extensive hacks in the history of American municipal government.

Publicly disclosed on May 7, it immobilized most of city’s computer systems, crippling a wide range of customer services, including real estate transactions and automated water billing.

The water billing system was not restored until earlier this month.

The hack came a year after Baltimore’s 911 dispatch system had been hacked, forcing employees to revert to manual mode to handle emergency service requests for a period of about 15 hours.

Despite that March 2018 attack, the city did not buy cyber insurance, leaving it exposed to millions of dollars in restoration costs after it refused to pay ransom to the still-unknown hackers.

Obtaining cyber insurance is something most big cities had already obtained, and Mayor Young “took steps to get it done in record time,” says his spokesman.

The attackers struck the city at a vulnerable time in city leadership.

Five days before the hack was announced, Catherine Pugh had resigned as mayor amidst an escalating “Healthy Holly” book scandal.

Pugh was replaced by Bernard C. “Jack” Young, the City Council president who expressed surprise that the city never had obtained cyber insurance (even though Young had been president of the Council and the Board of Estimates since 2010).

“He has made getting [cyber] insurance a priority of his administration,” said spokesman Davis.

“This is something most big cities had already done, and he thought previous administrations should have done it. So he took steps to get it done in record time.”

Criticized by Moody’s

Baltimore’s budget office has estimated that the malware attack would overall cost the city $18 million, not including reputational damage.

For example, a recent Moody’s Investor Services report faulted city leadership for not adequately investing in information technology.

Baltimore’s “lack of investment in cybersecurity when it had already fallen victim to a similar attack” was not good for the city’s credit, wrote Moody’s analyst Nisha Rajan.

Young recently announced that more than 95% of city services have returned to normal.

For Background:

• Baltimore’s out-of-date and underfunded IT system was ripe for ransomware attack

• What will it take to transform Baltimore’s anemic IT?

• Prepare for sticker shock when your next water bill comes.