Category: Actionable Steps

Categories
Budgeting & Resources Key Questions for Boards Leadership & Governance Planning & Policy

A Cyber Insurance Briefing for Elected Leaders

In today’s digital landscape, a local government’s data—from citizen records and utility operations to internal communications—is a prime target for cybercriminals. A single ransomware attack or data breach can cripple services, drain resources, and erode public trust.

While strong cybersecurity measures are your first line of defense, Cyber Insurance acts as a crucial safety net, helping your municipality manage the massive financial fallout of a successful attack.

If your village, town, city, county, or public utility is considering or renewing a policy, here is a look at what local governments can expect, the vital differences between what is typically covered versus what isn’t, and the critical questions you must ask your municipality and your broker.

The Six Critical Questions Elected Leaders Must Answer

As an elected leader, your top priority is the continuity of public service and the protection of taxpayer funds. Cyber risk is no longer an “IT problem”—it is a governance and financial crisis waiting to happen. Before you sign a policy, your governing body must confront these fundamental questions about your municipality’s readiness and resilience.

Focus AreaThe Core Question for the Governing BodyThe Bottom Line for Taxpayers
Operational ImpactIf our critical digital systems (email, payroll, utility controls) were locked down by an attack tomorrow, what essential public service would fail immediately?We must know which services—from 911 dispatch to water quality monitoring—are immediately jeopardized. If the lights go out, your response must be immediate.
Downtime ToleranceHow many hours can our municipality sustain a complete disruption of public records and digital services before the damage to the community becomes irreversible?Every hour of downtime multiplies the cost, halts services, and directly erodes public trust. This defines your operational breaking point.
Financial CostWhat is the documented, unbudgeted cost our municipality would face for recovery, separate from any ransom demand?The true expense is in forensic investigation, legal fees, and system restoration. You need a transparent figure on the financial exposure, which often runs into the millions.
Budget ResilienceDo we have an explicitly dedicated and sufficient reserve fund that can absorb an unbudgeted recovery cost of at least $250,000?Most local governments do not. This question forces a review of whether a cyber event would force painful cuts to essential public programs.
Risk StrategyAre we relying only on our technology defenses, or have we established a financial safety net for when those defenses inevitably fail?Technology is a tool, but cyber insurance is the risk transfer mechanism. It is a layer of resilience for a modern public entity.
Governance & AccountabilityWho is the executive-level owner of cyber risk in this municipality, and is a tested incident response plan in place?Cyber risk is a leadership issue. Insurance helps ensure that the highest levels of governance have a clear, tested plan to guide the community through the chaos of a breach.

What is Typically INCLUDED in a Policy?

Cyber policies generally cover three distinct areas:

Coverage AreaWhat is Covered?Examples
First-Party (Breach Response)Who pays the costs for us to recover from the attack?Fees for forensic investigators, legal counsel, system restoration, and paying cyber extortion (ransom) demands (subject to limits).
Third-Party (Liability to Others)Who pays if we get sued or fined for exposing citizen data?Defense costs, settlements, damages from citizen lawsuits, regulatory fines, and costs for notifying all affected individuals.
E-Crime & Financial LossWho pays if a criminal tricks an employee into sending public funds to a fraudulent account?Financial loss from Computer Fraud, Funds Transfer Fraud (e.g., fraudulent vendor invoices), and Social Engineering Fraud.

What is EXCLUDED?

Exclusions can be policy-specific, but there are several common areas where cyber insurance will not provide coverage:

  • Failure to Maintain Minimum Security: Claims can be denied if the breach is traced to your municipality failing to implement a required security measure, such as an unpatched server or not enforcing Multi-Factor Authentication (MFA).
  • Property Damage or Bodily Injury: Physical damage caused by a cyber event (e.g., a hack on a utility system causing a physical failure) may be covered by a General Liability or Property policy, not the cyber policy, unless specifically added.
  • Acts of War or Terrorism: Losses stemming from hostilities or state-sponsored cyber-attacks are often explicitly excluded.
  • Cost of Hardware/Software Upgrades: The policy will pay to restore systems, but generally not for the cost of upgrading to newer technology.
  • Known Vulnerabilities: If a claim arises from a vulnerability your municipality was aware of before the policy inception date, coverage may be denied.

Where Are the Hidden Traps?

The real risk often lies in the fine print. You need to look beyond the general coverage summary and scrutinize the endorsements and warranties within the policy. These items can act as “trap doors” that allow insurers to legally deny a claim.

1. The “Failure to Maintain Security” Clause

This is the most common and dangerous reason for denial today. Many policies contain a clause that makes coverage conditional upon maintaining specific security controls, most notably Multi-Factor Authentication (MFA).

  • The Warranty Trap: If your municipality warrants (guarantees) in the application that 100% of privileged users or remote access points use MFA, and an attack happens through an account that didn’t have it, the insurer may reject the entire claim based on a breach of warranty.
  • The No-MFA Endorsement: A particularly insidious version of this is the MFA Exclusion Endorsement. This endorsement is added to a policy to state that the insurer will not pay any claim that arises from or is attributed to the lack of MFA on specific systems (e.g., all email, remote access, or privileged accounts).
    • What does the No-MFA Endorsement mean for our paid policy? It means you could pay your full premium for a $1 million policy, but if the claim is traced back to a compromised employee email account that lacked MFA, the insurer can legally reject the entire claim. You have the policy, but no coverage for your greatest risk.

Action: Ensure your policy defines required security controls clearly and realistically. If an MFA endorsement is present, treat it as a policy killer unless you are 100% certain every covered access point complies.

2. The Retroactive Date

All policies have a date—the Retroactive Date—before which the insurer will not cover any incident, even if the loss is discovered during the policy period. If a hacker has been in your system for six months and you purchase a policy today, you may not be covered for the full extent of the intrusion. This prevents coverage for “silent data breaches.”

3. The Exclusion for Software/Hardware “Betterment”

After an attack, forensic experts often recommend system upgrades (e.g., replacing an old server or moving to cloud services). Insurers will only pay for the cost of restoring the old system, not the cost of making it “better” or new. Your municipality must be prepared to budget for these betterment costs, which can be substantial and unexpected.

The Six Critical Questions to Ask Your Broker

Cyber insurance should be a true safety net, not a piece of paper. Use these questions to determine if your policy provides the coverage, expertise, and support your community needs.

1. What does the policy cover? What specific security controls are mandatory, and what happens if we fail to maintain them?

Demand a clear list of mandatory controls (like MFA for all remote access). Clarify if non-compliance with a warranty will void the entire policy or only exclude payment for claims related to that specific missing control.

2. What is the annual premium and deductible, and how does this fit our budget risk?

Understand the financial spread: Premiums for municipalities often range from $600 to over $100,000 annually, with deductibles from $1,000 to $100,000. Ensure these costs are sustainable and that the deductible is affordable in a crisis.

3. Does the insurer have demonstrated experience specifically with the public sector?

Government entities have unique challenges: tight budgets, complex regulatory compliance (like state breach laws), and critical services. An experienced insurer will offer tailored coverage that respects these public sector obligations.

4. What loss prevention and risk mitigation services are provided in addition to the coverage?

Look for high-value extras included in the policy: access to incident response hotlines, employee training platforms, vulnerability scans, and tabletop exercises. These proactive services reduce risk and can help lower future premiums.

5. If we report a breach, what is the guaranteed response time, and who is our dedicated contact?

Day to day or in a crisis, you need human support, not an automated line. Ask for a commitment to a response within hours, not days. Confirm you will have access to a cyber specialist or dedicated claims manager or 24/7 breach response team.

6. What is the likely impact of making a claim on our future premiums and coverage availability?

Ask for candor: Will premiums spike after a claim, or will the insurer consider non-renewal? Understanding the long-term relationship ensures you are not penalized for using the safety net you paid for.

Categories
Actionable Steps Budgeting & Resources Cybersecurity Basics Leadership & Governance Planning & Policy Press Release Tools & Guidance

Announcing the Local Government Officials Guide to Cybersecurity

We are thrilled to announce the official publication of a critical new resource: the Local Government Officials Guide to Cybersecurity (LGOGC)!

This project was developed by the Local Government Cybersecurity Alliance (LGCA) specifically to empower elected and appointed officials—from supervisors and council members to city managers and agency heads—to effectively navigate the increasingly complex world of cyber risk.

Moving Beyond the Technical Jargon

Cybersecurity is not just an IT department problem; it is an enterprise-wide, whole-of-government issue that impacts finance, legal compliance, emergency services, and public trust.

The LGOGC cuts through technical jargon to focus on what matters most to community leaders: governance, accountability, and resilience. This guide was truly built by and for local government professionals, ensuring every concept is practical and immediately relevant to your fiduciary duty to protect the systems that serve your communities.

LGOGC Cybersecurity Guide (October 2025)Download

What the Guide Will Help You Achieve

The LGOGC provides a clear, actionable framework to help local leaders translate responsibility into practical action. Inside, you’ll find guidance to:

  • Integrate cybersecurity into your strategic and budget planning.
  • Strengthen oversight and reporting mechanisms.
  • Align your efforts with nationally recognized frameworks, such as NIST CSF 2.0.
  • Build a culture of cyber resilience that spans all departments and elected offices.

Download and Share Your Feedback

We believe that making cybersecurity governance as natural and necessary as financial oversight is achievable in every county, city, town, village, and district. This guide is a huge step toward that goal.

Download the Local Government Officials Guide to Cybersecurity (LGOGC) now.

We invite your feedback! Tell us how your jurisdiction is addressing these challenges and what resources would be most valuable to you next in our community forum or white paper.

Categories
Actionable Steps

Staffing Models and Outsourcing Options: Strengthening Cybersecurity in Local Government

Cybersecurity is not a one-time project—it’s a continuous, evolving responsibility. For local governments, building and sustaining a capable cybersecurity workforce is one of the most critical challenges in protecting public assets and maintaining operational continuity. Whether through internal staffing or external partnerships, the goal is the same: ensure readiness, resilience, and accountability.

The Human Capital Challenge

Many municipalities operate with lean IT teams, and cybersecurity roles are often under-resourced or entirely absent. This creates gaps in monitoring, incident response, and strategic planning. Without dedicated cybersecurity personnel, even basic tasks like patch management, access control, and threat detection can fall behind—leaving systems vulnerable to attack.

Staffing decisions must reflect the evolving threat landscape. Cyber risks are dynamic, and the workforce must be equipped to adapt. This means investing in ongoing professional development, clarifying roles and responsibilities, and embedding cybersecurity into broader governance structures.

Internal Staffing Models

Local governments can consider several internal staffing approaches depending on their size, budget, and risk profile:

  • Dedicated Cybersecurity Roles: Larger municipalities may benefit from hiring full-time cybersecurity specialists, such as a Chief Information Security Officer (CISO), security analysts, and compliance officers. These roles provide strategic oversight and technical depth.
  • Integrated IT-Cyber Roles: In smaller agencies, cybersecurity responsibilities may be embedded within general IT roles. While cost-effective, this model risks diluting focus and accountability unless supported by clear expectations and training.
  • Cross-Functional Teams: Cybersecurity can be distributed across departments—legal, procurement, emergency management—ensuring that risk awareness is embedded throughout the organization. This model requires strong coordination and leadership engagement.

Outsourcing Options

For municipalities with limited internal capacity, outsourcing can offer access to specialized expertise and scalable services. However, outsourcing should complement—not replace—internal readiness.

  • Managed Security Service Providers (MSSPs): These vendors offer 24/7 monitoring, threat detection, and incident response. MSSPs can be cost-effective for small governments but require careful contract management and performance oversight.
  • Virtual CISO (vCISO): A vCISO provides strategic guidance on a part-time or project basis. This model is ideal for agencies that need executive-level insight without the cost of a full-time hire.
  • Shared Services and Risk Pools: Regional collaborations allow multiple municipalities to share cybersecurity resources, training programs, and insurance coverage. This approach fosters community resilience and reduces duplication.
  • Consultants and Project-Based Support: External experts can assist with specific initiatives—such as risk assessments, policy development, or compliance audits. These engagements should be clearly scoped and aligned with internal goals.

Making the Right Choice

Choosing between internal staffing and outsourcing is not binary. Most local governments benefit from a hybrid approach that balances internal knowledge with external support. Key considerations include:

  • Size and Complexity: Larger agencies may require in-house teams, while smaller ones can leverage shared services.
  • Budget Constraints: Outsourcing can reduce overhead but may introduce long-term costs if not managed carefully.
  • Risk Profile: High-risk environments demand deeper expertise and faster response times.
  • Governance Structure: Cybersecurity must be aligned with leadership priorities and embedded into decision-making processes.

Tips for Implementation

  1. Conduct a Workforce Gap Analysis
    Identify current capabilities, unmet needs, and future requirements.
  2. Define Clear Roles and Responsibilities
    Avoid overlap and ensure accountability across departments.
  3. Invest in Training and Upskilling
    Build internal capacity through certifications, workshops, and tabletop exercises.
  4. Establish Vendor Oversight Protocols
    Monitor performance, enforce service-level agreements, and conduct regular reviews.
  5. Promote Cyber Literacy Across the Organization
    Engage non-technical staff in awareness campaigns and basic security practices.
  6. Align Staffing Decisions with Strategic Goals
    Ensure that cybersecurity supports broader objectives like digital transformation, public trust, and operational resilience.
Categories
Actionable Steps

Protecting the Crown Jewels: How to Secure Mission-Critical Assets

In cybersecurity, not all assets are created equal. Some systems and data are so vital to a government’s mission that their compromise could result in severe disruption, financial loss, or public harm. These are known as high-value assets (HVAs)—the crown jewels of your organization’s digital infrastructure.

According to the Cybersecurity and Infrastructure Security Agency (CISA), HVAs are “information or an information system that is so critical to an organization that the loss or corruption of this information, or loss of access to the system, would have serious impact on the organization’s ability to perform its mission or conduct business.” For state and local governments, protecting HVAs is not optional—it’s foundational.

Step 1: Identifying and Assessing High-Value Assets

Before you can protect HVAs, you must know what they are. This begins with a thorough organizational assessment to identify systems and data that are mission-critical. Once identified, conduct a comprehensive risk assessment to evaluate vulnerabilities, dependencies, and potential impact.

Step 2: Patch Management

Unpatched systems are one of the most common entry points for attackers. While scheduling maintenance windows can be challenging, timely patching is essential to reduce exposure to known vulnerabilities. Prioritize HVAs in your patching schedule and automate where possible.

Step 3: Malware Defense and Anti-Phishing

Deploy automated tools to detect and neutralize malware. Phishing remains a top threat vector—especially for systems that store sensitive data. Implement email filtering, sandboxing, and user training to reduce the risk of infection.

Step 4: Access Control

Limit access to HVAs based on job roles. Avoid shared administrative accounts and enforce logging and monitoring of all key security events. Regular audits help ensure that access privileges remain appropriate and that remote access is tightly controlled.

Step 5: Authentication

Multi-factor authentication (MFA) is a must for all users accessing HVAs. It adds a critical layer of protection against unauthorized access and credential theft. Ensure MFA is enforced across all access points, including remote and mobile connections.

Step 6: Network Segmentation

Segment networks to isolate HVAs from less secure systems. This limits lateral movement in the event of a breach. Define zones with specific rules and restrictions, and monitor traffic between zones to detect anomalies.

Step 7: Employee Education

Human error is a leading cause of cybersecurity incidents. Train staff to recognize phishing attempts, avoid risky behaviors, and follow security protocols. Use awareness campaigns, simulations, and role-specific training to reinforce best practices.

CISA’s Recommended Actions for HVA Protection

CISA outlines five key actions to help organizations secure HVAs:

  1. Establish an Organization-Wide HVA Governance Program
    Make HVA protection a strategic priority across departments.
  2. Identify and Prioritize HVAs
    Focus resources on the most critical systems.
  3. Consider Interconnectivity and Dependencies
    Understand how systems interact and rely on one another.
  4. Develop a Methodology for Prioritizing HVAs
    Use mission impact to guide protection efforts.
  5. Develop an Assessment Approach for HVAs
    Determine how often to assess and whether to use internal or external evaluators.

Protecting mission-critical assets requires more than technical controls—it demands strategic oversight, cross-functional collaboration, and continuous improvement. By identifying HVAs, implementing layered defenses, and following CISA’s guidance, state and local governments can reduce risk and ensure continuity of operations.

Categories
Actionable Steps

What Good Cybersecurity Looks Like for Local Governments

In today’s digital landscape, cybersecurity is not just a technical safeguard—it’s a cornerstone of public trust and operational continuity. For local governments, good cybersecurity means more than installing antivirus software or responding to threats as they arise. It’s about creating a proactive, strategic, and resilient approach that protects public services, sensitive data, and community confidence.

Municipalities face unique challenges: limited budgets, legacy systems, and growing digital demands. Yet, with the right governance and mindset, they can build cybersecurity programs that are not only effective but sustainable. So, what does “good cybersecurity” actually look like in practice?

1. Risk-Driven Decision Making

Effective cybersecurity begins with understanding risk. Local governments must identify their most critical assets—emergency services, financial systems, citizen data—and prioritize protections based on threat likelihood and impact. This means moving beyond generic checklists and tailoring strategies to the specific risks facing each department and service.

2. Adaptive and Responsive Systems

Cyber threats evolve quickly. Good cybersecurity programs are flexible enough to respond to new vulnerabilities, emerging technologies, and changing operational needs. This includes regularly updating policies, patching systems, and adjusting access controls to reflect current realities.

3. Proactive Prevention

Prevention is always more cost-effective than recovery. Strong cybersecurity programs focus on stopping incidents before they happen—through layered defenses, continuous monitoring, and employee training. This includes phishing simulations, endpoint protection, and network segmentation to reduce the blast radius of any potential breach.

4. Clear Roles and Shared Responsibility

Cybersecurity is a shared responsibility. From elected officials to frontline staff, everyone plays a role. Good programs define responsibilities clearly—whether through a dedicated cybersecurity officer, cross-departmental governance committees, or vendor oversight. This clarity ensures accountability and reduces gaps in coverage.

5. Measurable Performance

You can’t improve what you don’t measure. Good cybersecurity includes metrics for performance—such as incident response times, patching rates, and training completion. These indicators help leaders monitor progress, identify weaknesses, and make informed decisions about resource allocation.

6. Collaboration and Communication

Local governments don’t operate in isolation. Good cybersecurity involves sharing threat intelligence with regional partners, state agencies, and trusted networks. It also means communicating clearly with the public—especially in the event of a breach—to maintain transparency and trust.

7. Continuous Learning and Awareness

Cybersecurity is not a one-time fix—it’s an ongoing process. Good programs invest in continuous education for both technical staff and decision-makers. This includes staying current on best practices, participating in training, and fostering a culture of vigilance across departments.

Why It Matters

When cybersecurity is strong, local governments can:

  • Deliver uninterrupted public services.
  • Protect sensitive data from misuse.
  • Avoid costly breaches and reputational damage.
  • Build public confidence in digital systems.

Ultimately, good cybersecurity is not just about technology—it’s about leadership, strategy, and community resilience.

Categories
Actionable Steps Budgeting & Resources

Barriers & Gaps in Local Government Cybersecurity

Cybersecurity is no longer a niche concern—it’s a foundational element of public service delivery. Yet many local governments remain vulnerable to evolving threats due to persistent and interconnected barriers. These challenges—funding, staffing, leadership, and awareness—are often treated as separate issues, but in reality, they reinforce one another. Addressing them holistically is key to building resilient, secure communities.

Insufficient Funding

Limited budgets continue to be one of the most cited reasons municipalities lag in cybersecurity. In many cases, cybersecurity is still viewed as an optional add-on rather than a core infrastructure investment—like roads, water systems, or emergency services.

This mindset must change. Cybersecurity protects the digital infrastructure that underpins nearly every public function, from permitting and payroll to emergency alerts and public records. Without adequate funding, municipalities are forced to rely on outdated systems, under-resourced teams, and reactive strategies. Treating cybersecurity as infrastructure—and funding it accordingly—is essential to long-term resilience.

Workforce Shortages and Skills Gaps

The global shortage of cybersecurity professionals affects every sector, but local governments are especially hard-hit. They often struggle to compete with private-sector salaries and benefits, making it difficult to attract and retain qualified talent.

Beyond staffing numbers, there’s also a skills mismatch. Many existing employees lack the specialized training needed to respond to modern threats like ransomware, phishing, and cloud vulnerabilities. Upskilling staff is critical—but training budgets are often limited or nonexistent.

To address this, municipalities must invest in local talent development, create career pathways in cybersecurity, and explore regional partnerships to share expertise and resources.

Leadership Engagement and Misunderstandings

Cybersecurity is not just an IT problem—it’s a strategic leadership issue. Yet many local leaders still view it as something technical staff handle in isolation. This disconnect can lead to blind spots in governance, leaving agencies exposed to preventable risks.

When cybersecurity is underestimated, the consequences are severe: halted services, lost public trust, and costly recovery efforts. Embedding cybersecurity into executive decision-making—through regular briefings, cross-departmental coordination, and clear accountability—is essential.

Leaders must understand that cyber risk affects every aspect of public service, and their engagement is critical to building a culture of security.

Expanding Attack Surfaces

The shift to remote work, cloud-based tools, and mobile access has dramatically expanded the threat landscape. Traditional network boundaries no longer apply. Every laptop, smartphone, and remote login is now a potential entry point for attackers.

This decentralization makes it harder to monitor activity, enforce policies, and respond to incidents. Municipalities must rethink their security architecture to account for this new reality—implementing endpoint protection, multi-factor authentication, and continuous monitoring across all devices and platforms.

These barriers are not insurmountable—but they require coordinated, strategic action. When funding improves, staffing can follow. When leadership engages, awareness grows. When cybersecurity is treated as infrastructure, resilience becomes possible.

Local governments must move beyond reactive fixes and embrace a governance model that integrates cybersecurity into every decision. The risks are real—but so are the opportunities to build safer, smarter communities.