Written by: Shayne Kavanaugh, Senior Manager of Research, GFOA Research and Consulting Center; Rob Roque, Technology Services Manager, GFOA Research and Consulting Center; Teri Takai, Executive Director, Center for Digital Government

Blog adapted from: https://www.gfoa.org/materials/cyber-risk-savvy

Image by Pexels: https://www.pexels.com/photo/code-projected-over-woman-3861969/


Cybercrime is a rising and evolving threat to water and wastewater systems across the nation. Last year, the federal government’s Critical Infrastructure and Security Agency (CISA) issued an advisory outlining the cyber threats water and wastewater systems are currently facing, including recent examples of ransomware attacks in California, Nevada, and New Jersey. Moreover, the Water Infrastructure Act of 2018 requires water and wastewater systems that serve more than 3,300 people to factor in cybersecurity threats when formulating risk and resilience assessments and emergency response plans. Notably, water and wastewater systems are attractive targets for cybercriminals for a few reasons:

  • Their IT networks are typically not very secure
  • They maintain a variety of sensitive data about citizens and employees
  • They are more accessible and vulnerable than private sector entities due to their public profile

Such attacks can be costly in terms of lost revenue and recovery efforts, in addition to a damaged reputation and the possibility of lawsuits. This leaves public organizations with already constrained resources to confront a complex and dynamic issue.

The two main options water and wastewater systems have in acting against cybercrime are: invest in tightened cybersecurity controls, or cybersecurity insurance. Controls are preventative measures that can stop an attack from doing damage. Examples of control measures include staff training on safe cyber practices, data backups, or software patching. Cybersecurity insurance, on the other hand, focuses on remediation by contracting with an outside entity to cover specific liabilities or potential attacks. The advantage of cybersecurity insurance is that it can provide relief from catastrophic losses where it is impractical to develop sufficient controls.

The following four steps will help water and wastewater system decision-makers navigate this trade-off and become more cyber risk savvy.


1. Know the Basics of Your Cybersecurity Situation

There are three questions to ask as part of Step 1:

  • What are the most important assets you need to protect?
    • Technology assets with sensitive data or that administer mission-critical functions are the most important.
  • What threats are most important?
    • Today, ransomware attacks are the most prevalent threat. Other possible threats include denial of service attacks, leaks of sensitive data, or cyber sabotage of various forms.
  • What is the state of your controls?
    • Important controls include multifactor authentication, firewalls, encrypted data storage, encrypted data backups, incident response planning, training staff to avoid phishing attacks, software patching, and endpoint detection response.


2. Quantify Your Risk
  • Quantification of your government’s inherent risk and residual risk accomplishes two goals:
    • It will help evaluate the value of investing in additional control measures.
    • It will “set the stage” for cybersecurity control vs. cybersecurity insurance decision making.

GFOA has built a sample Excel ransomware risk model that will provide you with a basic understanding of how the risks of a cyberattack could be quantified. This model is not a substitute for professional risk analysis and is intended only as an educational tool. It can be found here: gfoa.org/cyber-insurance.


3. Examine the Potential of Insurance

Initially, governments should conduct an analysis of self-insurance capacity. This is a matter of determining the amount of risk you are willing to absorb internally. Local governments often set up self-insurance for all types of risks. There is no reason that self- insurance couldn’t work for cyber risk as well.

Self-insurance is often most valuable at a point where investing in more controls loses cost-effectiveness and commercial insurance can be made more affordable by accepting a higher retention.

Governments should then consider the usefulness of commercial cybersecurity insurance.These policies provide the most value when the potential losses are too high to absorb via self-insurance. There are various limitations to commercial cybersecurity insurance to be aware of, including:

  • Its rapidly evolving nature
  • Underwriting, Payout Limits and Sublimits, Retentions, Panel Requirements, Exclusions and Definitions


4. Periodically Reassess

A reassessment is critical after a cybersecurity event but should be done regularly even if no events have occurred. The objective is to find out if there are new vulnerabilities, perhaps due to evolving methods of attack used by cybercriminals, and changed or new technologies, operations, etc., that increase or change the attack “surface area” presented by the local government to cybercriminals.


Savvy risk management requires making smart use of strategies to manage that risk. Such strategies include reducing risk by implementing cybersecurity controls, absorbing risk with self-insurance, and when it makes sense, transferring risk to the insurance market by purchasing a commercial insurance policy. Strategies should be reviewed on a regular basis to ensure their effectiveness.