author photo
By Clare O’Gara
Mon | Oct 21, 2019 | 8:00 AM PDT

Earlier this year, the City of Baltimore made an $18 million decision to refuse the hackers who were holding city data for ransom.

Now, Baltimore just made another high-dollar decision.

Only this time, the city is investing in a more secure cyber future.

Baltimore buys cyber insurance

After experiencing a ransomware attack and refusing to pay an $80,000 ransom to hackers, Baltimore spent an estimated $18 million to recover from the damages.

Now, the city wants to ensure that this event never happens again—or if it does, someone else will pay for it.

Officials just approved a $20 million cyber insurance plan for the city.

According to the Baltimore Fishbowl, this is what the plan covers:

  • Cyber incident response, "including an investigative team"
  • Losses from interruptions to business
  • Digital data recovery
  • Third-party coverage for "cyber privacy and network security, payment card loss, regulatory proceedings and electronic social and printed media liability."

Dr. Larry Ponemon, Founder of the Ponemon Institute, told us at SecureWorld Detroit that a growing number of organizations now use cyber insurance as a tool for reducing exposure from a cyberattack. And more probably should.

"A lot of organizations could benefit by having a policy that covers big issues that occur with low frequency. For example, a breach of more than a million records."

Now you can add Baltimore to the list of organizations that have cyber insurance coverage. 

Baltimore's refusal to pay the ransom

Baltimore's decision to forgo ransom payments in early 2019 was met with criticism from city taxpayers.

Particularly because the city ended up paying so many millions more than hackers demanded. 

[RELATED: Hackers Raising Prices in Ransomware Attacks]

It turns out, some of Baltimore's reasoning for the choice was about principle, and some was about the cyber posture of the city at the time:

Mayor Bernard C. "Jack" Young defended the decision:

"Well, first, we've been advised by both the Secret Service and the FBI not to pay the ransom. Second, that's just not the way we operate. We won't reward criminal behavior. 

If we paid the ransom, there is no guarantee they can or will unlock our system.

There's no way of tracking the payment or even being able to confirm who we are paying the money to. Because of the way they requested payment, there's no way of knowing if they are leaving other malware on our system to hold us for ransom again in the future.

Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment. I'm confident we have taken the best course of action."

And next time, perhaps the insurance company can pay for it.

[RESOURCE: Prevent 81% of Phishing Attacks Through DMARC]