Cyberattack on Saint John could push up city's insurance costs even more - Action News
Home WebMail Tuesday, November 26, 2024, 08:52 AM | Calgary | -16.5°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
New Brunswick

Cyberattack on Saint John could push up city's insurance costs even more

The City of Saint John's insurance costs are rising 26 per cent this year, a number that could change when the city gets a final quote on renewing its cyber liability policy.

Cyber liability policy can't be renewed beyond March 1 while the most recent claim is under review

A silhouetted man hunched over a computer with data illuminated in the background.
The City of Saint John's insurance costs could rise further because of the cyber attack it experienced in November. (Kacper Pempel/Reuters)

The City of Saint John's insurance costs are rising 26 per cent this year, a number that could change when the city gets a final quote on renewing its cyber liability policy.

"The insurance industry is in a hard market not seen in 20 years," Ian Fogan, director of strategic affairs, wrote in a report prepared for the city council meeting Monday night.

"Our overall increase to the entire insurance portfolio is approximately 26 per cent. For comparison, Halifax is experiencing a 46 per centincrease, Moncton a 25 per centincrease and St. John's is seeing a 60% increase."

Fogan said he still can't get a final number on the cyber liability premiums for all of 2021.

He said the city's insurers have only agreed to extend that policy until March 1, while they review the most recent claim and the city's risk exposure.

On Nov. 13, the city discovered that it had been attacked by a ransomware virus and responded by shutting down Saint John's website and its online payment system.

Coun. Shirley McAlary said the final costs of that attack, the damage that ensued and the recovery effort, have yet to be disclosed.

"I don't know if they know that yet," said McAlary. "I haven't heard."

Public needs details, security company says

Richard Rogerson, managing partner of PacketLabs, said Saint John taxpayers should be getting more information about what systems were breached and what kind of data was compromised.

Rogerson, whose company helps government and industry avoid cyberattacks, said there's also a wider public interest in knowing whether Saint John paid its attackers, either directly or through insurance.

A photo of the outside of a tall commercial building, consisting mostly of rectangular windows.
The City of Saint John was targetted by a cyber attack late Friday, Nov. 13. (Julia Wright/CBC file photo)

Rogerson said insurance providerssometimes decide that it's cheaper to negotiate a ransom compared to the time and money it would take to rebuild, restore and fortify the systems and data that were hacked.

"We're likely seeing that the insurance industry is the one that's building the industry of ransomware," said he said.

"If the insurance companies find it's cheaper to pay the criminals, the criminals then take that money and expand their criminal activity.

"I think any amount paid to an attacker, or a criminal, is really money that we need to track and figure out where it went."

No damage report since Nov. 27

Saint John city manager John Collinis expected to give an update Monday night in an open meeting of council.

Other than a notice last week that the city is once again accepting debit and credit card payments, the city has issued no news about the attack since Nov. 27.

At that time, Collinsaid he was balancing his commitment to keep the public informed against the risk of providing information that could benefit the hackers or compromise the police investigation.

Six weeks ago, the city was advising people to check for any "irregularities" on their credit cards "out of an abundance of caution."

CBC News checked back with the cybersecurity firm that raised the alarm that Saint John had been hacked back in 2018.

That's when Gemini advisory discovered batches of personal information and credit cards from Saint John were being offered for sale online as part of the widespread click2gov software hack.

"Gemini has not found stolen payment card data from the City of Saint John in the dark web from this [latest] cyber incident," wrote Christopher Thomas, intelligence production lead for New York-based Gemini Advisory.

"It does appear to have been hit by ransomware, which aligns with the larger cybercriminal trend of attacking and extorting municipalities."

Total costs of insurance portfolio

For now, Saint John is working with a quote of $4,309, for renewing its cyber liability policy until the end of February.

That will provide $2 million in coverage with a $50,000 deductible.

Last year, the city paid $20,591 in cyber liability premiums.

Fogan said the biggest impact to insurance costs will show up in the property premiums, a result of rising property values and increased rates.

Last year's property insurance premiums were $268,167.

For 2021, they're $416,607.

"The combined effect of increases in value and the rate increase yields an overall premium increase of 55 per cent," says Fogan's report to council.

The city has also been advised to hold off on issuing a request for proposals for all its insurance business.

Normally, the city would seek a five-year quote but because of uncertainty in the market, Fogan said Saint John is advised to delay its request for proposals for a year.