Cyberattacks are one of the many risks facing Public Entity Risk Pools and a learning moment for those trying to define a path to digital maturity and build a solid foundation for the future.
Public entity risk pools (pools) are wholly adept at managing risk. With more than 90,000 public entities in the United States, the Association of Governmental Risk Pools (AGRiP) estimates that at least 80 percent of them participate in one or more pools.
By pooling their risk—and accountability– these not-for-profit organizations can economically provide risk management and loss control, underwriting, claims management, and a comprehensive package of insurance coverages that typically include property, casualty, and workers’ compensation. This effort supports a pool’s number-one priority: the co-owners of the pool—its members. These members hail from local and state municipalities, including entire fleets of first responders (fire, police), public utilities, school districts, etc., government-run hospitals, public libraries, community colleges, support staff, and more. Accordingly, the typical pool must ensure its technology systems can reliably support the needs of its members.
This means ensuring uptime is paramount. During COVID, pools–like most private or corporate sector organizations–were forced to make adjustments in how they worked, prioritizing their IT wish list to maintain operational performance and resiliency. But unlike most organizations, pools are restrained by outdated legacy systems and a limited, fixed budget, and as a result, that wish list remains a wish, not a reality.
Undoubtedly, budget concerns are one of many issues facing pools: Often, these organizations don’t have a large IT staff and are forced to maintain operations “the way it’s always been done,” cobbling along hoping that the risks it faces will be minimal. In actuality, the risks facing these organizations are at an all-time maximum.
This conundrum is complicated because most pools rely on antiquated databases and Microsoft Office products for the bulk of their day-to-day operations. At a minimum, this reliance opens the door to Outlook phishing, making the pool more vulnerable to cybercriminals. Many may use Excel or other inexpensive spreadsheet programs that make it difficult to access data and almost impossible to regroup on errors. Imagine the time required to backtrack, inspect various versions of the spreadsheet’s values, calculations, source data, and file history to correct the error, wreaking havoc with routine financial or regulatory reporting. Some pools use insurance core system software that, with the exception of claims, includes workflows that don’t necessarily match with the pool’s own protocols.
If all this doesn’t spur you to think differently about how technology is managed, consider the largest, most recent risk impacting pools: ransomware. Public entities are one of the most targeted sectors yet often have the least resources and capabilities to prepare for and respond to ransomware attacks. Consider that 2,400 U.S.-based governments, health-care facilities, and schools were victims of ransomware in 2020, notes Council on Foreign Relations blogger Michael Garcia. In 2020, cyberattacks cost government organizations in the United States approximately $18.88 billion in downtime and recovery costs, according to a report from consumer tech information company Comparitech. And local governments continue to experience the greatest number of ransomware attacks, according to security company Blackfog.
Yes, ransomware is a network issue, and with ever-evolving ransomware keys and infiltration methods, there’s no way to prevent an attack with 100% certainty. But the rise in cybercrime is spurring pools across the country to wake up to the fact that it’s the pool’s technology foundation that enables them to best respond to their individual public entity members, which makes that foundation a critical asset–and more valuable than ever. And without a unifying approach to IT management that includes modernization, pools will continue to struggle to operate efficiently, much less deter, disrupt, prepare for, and respond to ransomware events.
Now let’s revisit the statement about pools and their fixed budgets. As they work with members on their annual loss control programs, they ask: What is the cost of not modernizing systems used to make city payroll, keep utilities up and running, communicate with first responders and even save lives? If nothing else, the latest wave of ransomware is a learning moment for pools trying to define a path to digital maturity.
That path, which can be undertaken by pools of all sizes, begins by conducting a basic technology assessment, which can be used to identify both known and unknown risks, issues that affect data access, workflow, operational performance and resiliency, network and systems’ vulnerabilities, mobility, and, of course, security.
The good news is that pools that have undertaken tech assessments are finding that their legacy systems can stay put—there are inexpensive ways to modernize and drive immediate front-end results without an overwhelming rip/replace approach. And, there are solutions available that can help them take a stepped approach to evaluating protocols, optimizing processes, enhancing workflows, and improving services to its most important priority: its members.
Let’s face it: whether in it for a profit or not, pools want to reduce operational costs, increase policyholder/member satisfaction, offer attractive technology systems to younger IT workers, and form a solid and secure foundation for the future.
Recent events tell us that it’s no longer an option to “just get by” or “wait and see.” The choice pools face today is a calculated one, and it’s important to recognize that their goal—to attain effective integrated risk management–is only as powerful as the technology foundation that supports it. It just takes that first step.
Interested in learning more? Contact us to discuss how the expert team at Vergence can guide your Public Entity Pool on the journey towards digital and workflow transformation.