It was last month that I read a story about how Atlanta spent more than $2.6 million on emergency efforts to respond to a ransomware attack. The initial demand was for roughly $50,000 worth of bitcoin within a week's time. Though we don't know whether Atlanta tried to pay the ransom, the attackers took the payment portal offline and left the city to fend for itself.
The bulk of the monies were spent on incident response, digital forensics, and Microsoft Cloud infrastructure expertise and incident response consulting. The attack disrupted functions that the public relies on, including police department records and the judicial system. Residents couldn't even pay their water bills.
Press reports indicated that the city's network were not especially secure so perhaps the monies expended went a long way toward hardening Atlanta's security.
But a couple of days ago, I saw an article in The Atlanta Journal-Constitution which caught my attention. The article indicated that the government, in a previous ransomware attack on government computers at the Department of Agriculture, relied on its $100 million cyberinsurance policy, which appears to be the largest of any state in the nation.
That is what paid for the technologists and investigators who erased and reloaded the 60 computers that had been infected by malware on December 11th. The department's compromised systems — including employee email and internal operation servers — were brought back online 11 days later.
The malware attack was the first time Georgia used its cyber insurance policy since state lawmakers funded it last year. The annual premium costs $1.8 million. The two attacks do not appear to have been connected, but it is interesting that the city of Atlanta is also using cyberinsurance in response to its ransomware attack.
The Atlanta government, which is under investigation for its compliance with Georgia's open records law, denied a request from The Atlanta Journal-Constitution for the value of its cyber insurance policy with AIG. Unlike the state government, city officials redacted liability coverage amounts from insurance documents, citing undefined security concerns. That was interesting – I have some difficulty imaging what those concerns might be.
It cost $253,000 for the state to recover from the earlier attack, said Julie McPeake, an Agriculture Department spokeswoman. The costs covered remediation work, investigations and consultants.
The Agriculture Department has upgraded equipment, reviewed protocols and implemented new technologies to increase protection – as I am sure Atlanta has too.
Georgia's policy is large because it covers more than 100 agencies — almost every branch of state government besides higher education. A breach could cost the government about $165 per record, potentially resulting in astronomical numbers if a large number of people were affected.
Under Georgia's cyber insurance policy, the state is responsible for the first $250,000 in costs, leaving the insurance carrier responsible for the excess amount — an estimated $3,000 in the case of the Agriculture Department. The state's insurer for the first layer of coverage is XL Catlin. If you ask me, the insurer got off pretty lightly here!
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology