Cyber insurance for Baltimore further delayed by internal review
Two proposed contracts are described as “premature” and are now under review by the law department
Above: Notice on the Benton Municipal Building after the May 7 cyberattack immobilized key city functions. (Mark Reutter)
It’s a good thing that hackers haven’t, as far as we know, made another assault on Baltimore’s recently restored computer systems because another month has passed without the city holding insurance.
The Board of Estimates was set on August 28 to secure liability coverage for a future cyberattack – an-oft stated goal of Mayor Bernard C. “Jack” Young – when a proposed $835,000 expenditure for the coverage was abruptly yanked from the board’s agenda.
The removal was described at the time as a matter of courtesy extended by the mayor’s office to Council President Brandon M. Scott and Comptroller Joan Pratt, who had not been briefed on the terms of the contracts before the meeting.
Now the contracts – arranged to be awarded to two multinational companies – are being described as “premature” and are undergoing a review by the law department.
“Some wires got crossed by the different entities checking things. The contracts were put on the agenda before they were actually ready to go,” Lester Davis, the mayor’s spokesman, explained today.
Davis downplayed the significance of the legal review, saying the city will be obtaining “adequate insurance that will cover what needs to be covered.” He acknowledged that the contracts will not be appearing at the board’s next meeting on October 2.
“Some wires got crossed by the different entities checking things,” the mayor’s spokesman says.
Davis responded after Scott’s office told The Brew that no arrangements had been made for a briefing on the contracts, the initial explanation for the award delay.
Chief Solicitor Andre Davis, who sits on the Board of Estimates, did not respond to questions about the status of the cyber insurance and declined to make any statement about whether the proposed contracts were being renegotiated.
Surprised by Lack of Insurance
The May 7 ransomware attack occurred just days after Young had taken over as mayor following Catherine Pugh’s resignation.
Young told reporters he was surprised to learn that the city did not have insurance that covered cyber security incidents. (This despite being City Council president and chairman of the Board of Estimates since 2010.)
$10 Million in Losses
Getting the city’s email, revenue collection, real estate transfer and other networks back online has directly cost taxpayers $10 million, with millions more forfeited as a result of uncollected revenues and lost employee productivity.
Young called on Solicitor Davis to research the best way to insure the city against future attacks.
“We will be in negotiations with our existing insurance companies regarding current policies and also looking to enhance coverage,” Davis said in June.
Bids Submitted
Meanwhile, the Office of Risk Management undertook what it described as a competitive process to secure a quote for $20 million in cyber liability from 17 insurance carriers.
Zurich-Switzerland-based Chubb Insurance was selected for the first $10 million in coverage at a cost of $500,103.
An additional $10 million in “excess coverage” was assigned to AXA, a French conglomerate, at a premium of $335,000.
Under city rules, such “service” contracts are not open to public scrutiny before they are approved by the Board of Estimates, so the exact terms of the contracts are not currently known.
According to the Finance Department, coverage would include cyber incident response costs, business interruption losses and digital data recovery.
Third-party coverage would reportedly insure the costs of network security, payment card losses, regulatory proceedings and “electric social and printed media liability.”
On, Then off, Agenda
The contracts were set to be approved collectively by the Board of Estimates as part of its routine agenda until the items were deferred at the start of the August 28 meeting.
“We just want to make sure the other members of the board know the terms and all that good stuff,” spokesman Davis said after the meeting.
A week later, Frank A. Johnson, the city’s chief digital officer, was placed on indefinite leave. His removal was confirmed by the mayor’s office after The Brew reported on his departure.
An object of widespread criticism, Johnson was faulted for not communicating with agencies after the cyber attack and failing to craft a swift recovery plan.
He was replaced in an acting capacity by Todd A. Carter. The former Exelon IT manager had joined city government a day before the ransomware attack in May.