UPDATED Wednesday at 10:45 a.m.: Nearly two months after punting on buying $20 million worth of cyber insurance for the city, officials approved the decision Wednesday morning.
The protection is actually two separate insurance policies from Chubb Insurance and AXA XL Insurance, each for $10 million in coverage. The former will cost $500,103 per year, the latter $335,000, for a total of $835,103 annually, according to the city council president’s office.
What’s covered under the policies, according to the Board of Estimates agenda: cyber incident response, “including an investigative team,”; losses from interruptions to business; digital data recovery; and third-party coverage for “cyber privacy and network security, payment card loss, regulatory proceedings and electronic social and printed media liability.”
The board agenda says 17 insurance carriers submitted bids. Coverage from Chubb and AXA XL took effect as soon as the board approved.
The vote came just over five months after hackers struck Baltimore City computers and networks with Robbinhood ransomware, demanding bitcoin payments in exchange for restored control of municipal computers. The attack brought government functions to a standstill, with city employees unable to use their email accounts or computers for weeks, and suspended water billing for city residents for most of the summer.
Mayor Bernard C. “Jack” Young declined to pay the ransom–and even sponsored a U.S. Conference of Mayors resolution for other cities’ top executives to do the same–saying that “[p]aying ransoms only gives incentive for more people to engage in this type of illegal behavior.”
Recovery from the attack cost the city $18 million in all, $10 million from direct costs and $8 million in projected revenue losses.
Frank Johnson, the city’s top-paid official at the time, was roundly criticized for his response to the crisis, and is no longer with the Mayor’s Office of Information Technology as of this month after going on indefinite leave. It was the second attack during his tenure, following a March 2018 attack on the city’s 911 dispatch system.
The spending board, made up of Young, Council President Brandon Scott, Comptroller Joan Pratt, City Solicitor Andre Davis and Public Works Director Rudy Chow, deferred action instead of voting to adopt these same cyber insurance policies in late August, the Baltimore Brew reported.
“We just want to make sure the other members of the board know the terms and all that good stuff,” Young’s spokesman Lester Davis said at the time. He added, “This is an important expenditure, and we want to go above and beyond to make sure they know all the particulars about the insurance.”
Stefanie Mavronis, a spokesperson for Scott, said on Tuesday that the deferral was due to the council president and Pratt having not been briefed on the terms of the policies at the time. Both are more familiar with the plan this time around, she said.
Mavronis had said the council president’s office expected a full vote on adopting cyber insurance Wednesday, rather than another deferral. “Everyone’s shared interest is in not delaying it further.”
This story has been updated.
