TECH INSIGHTS: 5 Legal, Financial, and Operational Penalties for Municipalities Not Addressing Cybersecurity Risks
The information contained in this article is not intended as legal advice and may no longer be accurate due to changes in the law. Consult NHMA's legal services or your municipal attorney.
Cities and towns—even the smallest municipalities—not addressing fundamental problems with information technology and cybersecurity are not simply risking a virus that could wipe out data. They risk serious legal, financial, and operational penalties. As stewards of private, sensitive, and confidential information, municipalities must take information technology seriously.
The impacts of IT and cybersecurity underspending, obsolete systems, and poorly trained staff can hurt municipalities from a variety of angles.
The high costs of a cybersecurity incident.
When municipalities experience a cybersecurity incident without proactive IT support and cybersecurity best practices implemented, the costs in the aftermath of that incident will rise quickly from:
- The time needed to notify authorities and regulatory agencies.
- Hiring emergency IT consultants to address the incident.
- Notifying citizens about the incident and providing them financial reparations (such as free identity theft monitoring services).
- Paying lawyers lots of money to deal with legal issues related to the incident.
- Many hours spent by municipal staff in crisis mode addressing the incident.
Even after addressing the incident, the repercussions may continue to be costly. Lawsuits, fines, and a damaged reputation in the eyes of citizens and businesses will haunt your municipality for months and years.
Losing access to national and state databases (such as crime databases).
When your municipality appears unable to handle sensitive and confidential data, you may lose access to it. Imagine if your police department was unable to access state or national crime databases.
Today, so much information access and sharing requires interdependence—and with interdependence comes responsibility. Do you think a friend would feel comfortable leaving valuables at your house if you never locked it? The same logic applies here. Towns and cities need to implement basic cybersecurity best practices or risk losing access to important information from government agencies.
Paying higher cyber insurance premiums.
Some municipalities think that cyber insurance will help take care of the high costs of a cybersecurity incident. However, municipalities may have renewals declined or will pay much higher premiums for what’s already costly insurance if they don’t address some of the following issues:
- Creating a strong password policy—including multi-factor authentication for email, administrative access, and remote access
- Establishing a data backup and disaster recovery plan—with at least two copies of your data backup offsite
- Using enterprise-class antivirus software managed and maintained by IT professionals
- Using endpoint detection and response (EDR)—a tool to detect attackers already inside your systems
- Using modernized, professionally supported hardware
- Keeping software modernized, upgraded, and patched
- Protecting wi-fi access points
- Conducting ongoing employee training about cyber threats
- Establishing clear data access and authorization policies
By taking more proactive steps, municipalities both lower cyber insurance premiums and reduce the risk of having a cybersecurity incident at all.
Cybersecurity continuing to affect municipal borrowing.
Credit-rating agencies such as Standard & Poor's (S&P), Moody’s, and Fitch take municipal cybersecurity into account when considering borrowing rates for municipalities. If towns and cities want to borrow money at lower interest rates, they need to proactively address cybersecurity.
According to Fitch from a press release early in 2021, “Fitch includes cybersecurity in its credit analysis of the municipal sector and as part of its corporate-wide environmental, social and governance (ESG) framework. In addition, we believe cyber events pose financial risk which could impact municipal credit quality. This risk is not limited to the upfront cost of responding to a cyber-attack, but the costs of recovery and realignment of systems as well, which are many times more than the initial cost.”
Arkansas municipalities can lose their charters if they do not maintain specific cybersecurity standards.
In one state, not following cybersecurity standards can lead to the loss of a municipality’s charter. An Arkansas law states that an Arkansas municipal charter can get revoked (yes, revoked!) if the Legislative Joint Auditing Committee finds two incidents of non-compliance with accounting procedures in a three-year period. For example, the Town of Allport almost got its charter revoked this year.
Revoking a charter is serious, rare, and extreme—but it could mean the end of your municipality. The Arkansas Legislative Audit (ALA) includes both general controls and application controls around information systems. For municipalities, accounting systems are often the most important information system they oversee.
There are three important points related to this law:
- Arkansas municipalities can now lose their charter from non-compliance with IT-related accounting practices.
- While the law applies to application controls, it’s wise to follow all IT best practices recommended by the Arkansas Legislative Audit.
- Other states should see Arkansas as a sign of what’s to come—and prepare.
See a pattern? Today, proactive IT maintenance and support goes far beyond just making sure your hardware, software, and systems are running smoothly. Lack of proper “cyber hygiene” can impact the way you protect information, comply with the law, and stay financially sound as a municipality.
About Joe Howland
Joe has been in the IT industry for over 20 years and has extensive IT management experience that spans multiple industries. A UCLA grad with a degree in Mathematics Computation with a Computer Specialization, he worked with Computer Sciences Corporation for 10 years supporting defense and financial sector contracts. Joe joined VC3 in 2009 and during his time with VC3, Joe has performed in the role of Virtual CIO for some of VC3’s largest government customers. Joe is currently VC3’s Chief Information Security Officer and is responsible for VC3’s IT security as well as advising on security for VC3’s customers.
VC3 is a leading managed services provider focused on municipal government. Founded in 1994 with offices across the east coast, VC3 forms partnerships with municipalities to achieve their technology goals and harness their data. In addition to providing comprehensive managed IT solutions, VC3 offers cybersecurity, website design, custom application development, and business intelligence services. Visit www.vc3.com to learn more.