How Public Entities Can Better Manage Cyber Risks

Travelers red umbrella.
By Travelers
7 Minutes
Software Developer team is discussing on software develop progress and sharing ideas in tech business office.

Cities, towns and municipalities face unprecedented challenges in today’s changing risk environment:

  • Balancing limited budgets in a volatile economy.
  • Protecting citizens amidst continuing civic and geopolitical unrest.
  • Competing to attract and retain skilled workers in a tight labor market.
  • Overcoming supply chain disruptions to deliver essential services.

Each of these issues warrants careful attention and consideration. Yet, according to the 2023 Travelers Risk Index, cyber threats remain a top concern.

58% of survey participants reported that they worry some or a great deal about cyber risks.1  

79% of survey participants agreed that it is hard to keep up with the evolving cyber landscape and latest threats.1  

From AI to IoT, public entities are increasingly under pressure to upgrade outdated systems and adopt new technologies that can help better protect and serve their citizens. But becoming a “smarter,” more connected city can exacerbate existing, or create new, cyber-related vulnerabilities — and even the most well-funded municipalities may struggle to secure the resources required to effectively manage the risk.

Cybersecurity can be considered a civic duty.

Public entities handle sensitive information that needs protecting, from personally identifiable information (PII) for citizens and employees, such as social security numbers, medical records and financial information, to classified government information. They may also be responsible for securing the critical infrastructure and vital services their constituents need to live, work and thrive. Today that can mean modernizing systems and digitizing the processes that allow municipalities to effectively treat wastewater, extinguish fires, balance budgets, run community programs, distribute energy, provide emergency services, maintain roads and buildings and more.

As civic organizations increasingly rely on technology to meet these obligations, safeguarding the people, programs and property under their jurisdiction from the potentially devastating impact of a cyber incident is more important than ever. Just one data breach or cyberattack can result in:

  • Loss of sensitive data. Theft, compromise or destruction of PII could cause harm to citizens, vendors and other municipal partners.
  • Erosion of public trust. Reputational damage and loss of faith in an organization’s ability to protect information and individuals can impact a public entity’s ability to carry out its mission.
  • Disruption of critical services. The inability to provide vital healthcare, transportation, energy and other civil services to communities can put lives and livelihoods in jeopardy.
  • Financial losses. The costs to mitigate the impact of a cyber incident, including investigating the cause, restoring systems and data, repairing reputational damage, paying settlements and fines or covering legal and consultative fees, add up quickly.

Public entities remain an attractive target for cybercriminals.

Cities, towns, municipalities and other publicly funded organizations may face unique challenges, including budgetary constraints, that may make their infrastructure more susceptible to cybercrime such as: 

  • Outdated technology. Legacy systems may be unable to support the latest security patches or most up-to-date, secure versions of software and operating systems.
  • Organizational complexity. Lack of centralized IT management and oversight between municipal departments can undermine enterprise-wide network administration and cybersecurity efforts or goals.  
  • More access points. Connected cities have larger attack surfaces — or “perimeters” — giving cybercriminals more endpoints that can be exploited to gain access to their entire network.  
  • Lack of universal standards. Networks managed by non-integrated teams of in-house staff and third-party providers often lack cohesive cybersecurity and risk management strategies, rules and roles.  

The “perimeter” is everywhere, so “layers of protection” may be best.

Many organizations focus cybersecurity efforts on protecting their networks from outside threats, believing that a strong perimeter defense will keep them safe. But the truth is that the “perimeter” as we once defined it has evolved and now exists everywhere. It’s the employee that makes a remote connection from a coffee shop. It’s the interface to a water treatment controller. It’s the sensitive personnel data stored by your HR cloud provider. Each of these access points make up the new perimeter, which calls for a different mindset about cybersecurity: It’s not about bigger and thicker walls preventing the outside from penetrating the inside anymore; it’s about having several overlapping, complementary layers of defense at every location, on every device and for every way business is conducted throughout your organization.

Also consider that public entities with limited financial and human resources can often be forced to make tough choices and trade-offs when it comes to cybersecurity. That may mean attention and funds get disproportionately allocated to shore up what are believed to be the most important controls (such as perimeter firewalls), rather than protecting what may actually be the greatest vulnerabilities (such as not verifying the identity of a user logging in as an administrator).

There’s a security adage that goes something like this: an attacker only needs to be lucky once, but the defenders need to be lucky every time.

All it takes is one opening such as:

  • An employee falling for a phishing scheme.
  • Failing to verify a user’s identity.
  • Outdated software.
  • Poor password policies.  

To give cybercriminals the “in” they need to:

  • Compromise or hold data hostage.
  • Eavesdrop or redirect payments.
  • Endanger employees and citizens.
  • Bring municipal operations to a halt.  

Therefore, no cyber strategy should be considered complete without investment in the following basics:

  • Implementing a Multifactor Authentication (MFA) system.
  • Keeping systems up to date.
  • Monitoring systems with Endpoint Detection and Response (EDR).
  • Having an Incident Response (IR) Plan in place.
  • Securely backing up your critical data and systems.  

Beyond controls, cybersecurity starts at the top.

Maintaining proper cyber hygiene is more than a matter of implementing controls. It must be part of the culture, and the tone must be set from the top. Leadership must champion and participate in organization-wide cybersecurity efforts, and should consider implementing practices such as those recommended in the federal Cybersecurity & Infrastructure Security Agency’s (CISA) “Partnering to Safeguard Localities from Cybersecurity Threats Toolkit”: 

  • Establishing a culture of security by including and aligning cybersecurity goals with overall organizational goals.
  • Selecting and supporting a “Security Program Manager” to report on progress and roadblocks. The Security Program Manager can be anyone with the appropriate level of authority in your organization and does not have to be an IT or cyber expert.
  • Reviewing and approving your incident response plan, as well as participating in tabletop exercises in collaboration with leaders across the organization.
  • Supporting your organization’s IT leaders, including making announcements about cyber initiatives.

 Or, for organizations with limited resources:      

  • Work with the state/local planning committees to leverage the State and Local Cybersecurity Grant Program (SLCGP), which provides funding to support state, local, tribal and territorial (SLTT) governments’ efforts to address cyber risk.
  • Consider implementing free or low-cost services, such as the free “Cybersecurity Services and Tools” available from CISA, to make near-term improvements when resources are scarce.
  • Ask more of technology providers, requesting that all technology used for core government functions have strong security controls enabled by default, for no additional charge.

A solid cybersecurity strategy includes a solid insurance policy and provider.

Public entities are exposed to an ever-evolving landscape of cyber risk. While establishing the proper controls can help reduce the likelihood and impact of an incident, none can fully eliminate the risk. A trusted insurance partner is important, as is a robust cyber policy, like Travelers CyberRisk for Public Entities, which can offer an extra layer of protection, providing critical coverages and risk management services to help effectively plan for, respond to and recover from an incident while minimizing the potential impact on your organization and the people, data and property it is entrusted to serve and protect.

Contact your insurance agent or a Travelers representative to discuss your specific cyber coverage needs.

Cracking the Cybersecurity Code: 5 Cybersecurity Practices for Public Entities infographic, see below for details

1Travelers Risk Index, The Travelers Indemnity Company, 2023. (1,202 total business insurance decision-makers in many industries were surveyed: 108 construction, 71 real estate, 101 healthcare, 110 technology, 106 retail, 86 transportation, 56 wholesalers, 110 professional services, 106 manufacturing, 164 banking, 264 publicly traded companies, 96 nonprofits, 46 public sector.

Young businesswoman sitting on a park bench, logging in to laptop while holding smartphone with a security key lock icon on the screen.

Top Stories

How Multifactor Authentication Can Help Protect Against Cyber Threats

Multifactor authentication (MFA) can help stop cyberattacks by requiring a second form of verification that can block most account-compromising attacks.

Related Products & Services

We understand the complexity of cyber threats and have cyber liability insurance solutions to help protect your business assets.

We specialize in serving public entities and maintain industry-specific expertise to help remove the uncertainty of risks unique to this segment.

More Prepare & Prevent

Cyber Risks and Your Business

Take a look inside how a data breach can affect a business and what a business can do to help protect against cyber risks in this video.

Cyber risks and your business.

More Prepare & Prevent

Responding to a Data Breach Takes a Team

Small and midsized businesses may be the most vulnerable, and least prepared, to handle a data breach. Without employees trained to handle questions a breach can bring, the effects on the business can be catastrophic.

Business team responding to a data breach in the office.

More Prepare & Prevent

Cyber Risk Pressure Test

Cybercrime has become increasingly frequent, complex and costly. What could your company be doing to better manage the risk? Take our four-part questionnaire to find out. #HarnessRisk

Red padlock with checkmark icon set atop a grey world map.