Inside City Hall
At long last, Baltimore has cyber insurance
A timeline of the city’s efforts to obtain insurance against cyberattacks – and its ongoing payments to consultants to ward off future “events”
Above: Mayor Young last May with since-departed Chief Information Officer Frank Johnson and City Solicitor Andre Davis. (Mark Reutter)
It took seven weeks and required three different explanations, but the Board of Estimates has finally approved a $835,000 insurance package to protect the city monetarily from future cyberattacks.
Yesterday’s agreements with the insurance giants Chubb and AXA will provide $20 million in coverage against the kind of virtual assault that took place last May, which knocked out Baltimore government computers for weeks on end and paralyzed the water billing system for three months.
The attack directly cost taxpayers $10 million, with many millions more in lost productivity.
The insurance package includes a $1 million deductible, which means the city is responsible for the first $1 million in costs of any future attack. The coverage will go into effect immediately for one year, Finance Director Henry Raymond said yesterday.
A Slow Process
Based what’s been publicly disclosed, the terms approved yesterday were identical to the terms presented to the board on August 28 before the item was unceremoniously yanked from the agenda.
Since cyber insurance was described as a top priority of Mayor Bernard C. “Jack” Young, who last May said he was shocked to learn that the city had none, The Brew has been tracking the item’s progress.
The contract with Chubb and AXA was supposed to make its reappearance at the board’s September 11 meeting. Instead, it remained MIA until it popped up on page 20 of this week’s agenda.
The mayor’s spokesman at first explained that Comptroller Joan Pratt and City Council President Brandon M. Scott had to be briefed on the insurance package “as a matter of courtesy.”
This was followed by his statement in late September that the insurance contracts were “premature” and were under review by the law department. (As a matter of routine, all contracts that come before the BOE are supposed to be vetted by the law department.)
Raymond took the blame yesterday, saying item had been delayed “to give the Finance Department additional time to properly [review] the contract to assure all entities and quasi-units of city government were included.”
The city had contacted 17 insurance companies before they choose Chubb and AXA, Raymond said, then went back to the insurers to make sure “we are getting all the coverage we need in case there is a future event.”
The board also approved $3,777,370 in payments to seven vendors and consultant groups who helped the city dig its way out the cyber mess.
These were so-called “emergency procurements” authorized by Raymond last May without standard competitive bidding.
Here is the breakdown of the payments, chiefly for third-party staff and services:
Note that $771,708 went to Crypsis, a Fairfax, Va., cybersecurity company. Separately, the board authorized a $300,000 master services agreement with Crypsis, beginning yesterday for a period of 130 days – or $2,307 a day.
The purpose of this agreement is to identify security gaps and provide recommendations to assist the city’s technology office “to maturation.”
Crypsis is well qualified because over the last five months of “providing remediation suggestions” to the city, it has “obtained unique familiarity with the network current environment,” according to the board’s agenda.
Were the agreement not approved, “the city would be at risk if another cyber event were to take place.”