Essential infrastructure is a growing target for cybercrime across Canada, making cybersecurity a top municipal governance issue. To avoid the widespread operational and financial fallout of a breach, CAOs and CFOs must invest in proactive risk mitigation measures to minimize the likelihood and severity of cyberattacks.
With nearly 10 years of insurance and risk management experience, Daniel Tassoni, Senior Client Executive, Commercial Insurance, shares his expert insights on how municipal financial leaders can build cyber maturity into their budgets.
Cyber threats have shifted from being an abstract IT concern to an operational and financial risk that can halt municipal services.
Municipalities that plan cyber investment the same way they budget for roads, water systems or fleet maintenance are better positioned to safeguard continuity of operations.
Treating cyber preparedness as core infrastructure, not discretionary spending, can help protect insurability, public trust and service resilience.
5 reasons why Canadian municipalities are prime cyber targets
Ransomware, phishing, vendor breaches and business email compromise routinely target local governments because of the critical services they deliver and the pressure to restore operations quickly.
The result is a higher likelihood of ransom payment, financial fallout and significant recovery costs that extend far beyond the breach itself.
Cyber threat 1: Essential municipal services rely on IoT and OT
The mass digitization of municipal operations means cybercriminals know it can take just one successful breach to rapidly disable phone systems, portals, scheduling systems, citizen-facing services and essential infrastructure.
Unsurprisingly, the Canadian Centre for Cyber Security has noted increasing attacks against municipal governments, with most cases involving:
- social engineering
- unauthorized network access
- ransomware
Case study: City of Cold Lake, AB, ransomware attack
In July of 2024, the City of Cold Lake experienced a ransomware attack, which caused widespread disruption. The breach impacted the municipality’s phone systems, payment processes and email communication across all facilities, including:
- City hall
- Energy centre
- Family and Community Support Services (FCSS)
- Public works
- Marina
- Golf course
- Transfer station
The recovery period to reinstate all systems and services took several weeks.
Cyber threat 2: Municipalities store large volumes of personal information
Personally identifiable information (PII) for staff, residents, patrons and donors is kept on file across municipal departments and affiliated agencies. Data theft resulting from a breach can lead to mass notifications, regulatory attention and lengthy recovery times.
Case study: Toronto Public Library ransomware attack
In October 2023, the Toronto Public Library experienced a ransomware attack, in which their data was exfiltrated and encrypted. In addition to months-long system disruptions, Ontario’s privacy regulatory commission reported the breach affected the personal information of approximately:
- 8,000 staff members
- 4,100 customers, donors and volunteers
- 1,800 beneficiaries
Cyber threat 3: Municipalities rely on third-party and shared platforms
The use of shared platforms and third-party IT services for functions such as HR, payroll, public health information, file transfers and more puts municipalities at risk of a breach. Cybercriminals are increasingly coordinating attacks on IT supply chains as it only takes on strike to exfiltrate data from multiple departments and organizations.
Case Study: Cyberattack on Nova Scotia’s MOVEit System
In May of 2023, the Government of Nova Scotia was hit by the global attack on the MOVEit file transfer system. It’s estimated that personally identifiable information (PII) of more than 100,000 Nova Scotians was accessible through the breach, impacting:
- government employees
- teachers
- students
- healthcare patients
- pension plan recipients
Cyber threat 4: Municipal payables vulnerable to social engineering and financial fraud
Business email compromise, which is when cybercriminals impersonate trusted contacts to divert payments, is of significant risk. One successful scam can quickly rob local governments of significant sums.
Case Study: City of Saskatoon, SK, loses $1 million in financial fraud
In August of 2019, the City of Saskatoon lost more than $1 million after falling for a fraudulent email. The cybercriminal, who claimed to be the CEO of a construction company the city dealt with regularly, successfully convinced the recipient to change the company’s banking information so funds were sent to a fraudulent account.
Cyber threat 5: Municipal resource constraints and old systems make for an easy target
Municipalities often operate with small teams and legacy technology. This translates into slower integration of cybersecurity measures, which insurers require to provide coverage from escalating cyberattacks.
Case study: City of Hamilton, ON, ransomware claim denied
In February 2024, Hamilton experienced a ransomware attack, which disabled approximately 80% of the city’s network. This cyberattack impacted city services for several weeks, including:
- business licence processing
- property tax
- transit planning
- finance and procurement systems
While the city had cyber insurance, the claim was denied as the required multi-factor authentication protocols were not put in place. As a result, the city had to spend more than $18 million on response, system recovery and third-party support.
Municipal government cyber insurance checklist: 7 prerequisites for coverage
Insurers have always expected policyholders to share in some of the risk, which is why risk mitigation is a critical requirement for commercial insurance.
This holds true for obtaining cyber insurance for local governments. Underwriters expect municipalities to have specific cybersecurity measures in place. At a minimum this includes:
Multi-factor authentication (MFA)
MFA requires multiple verification factors beyond passwords to confirm an individual’s identity. Insurers expect MFA to be used on email accounts, VPNs, cloud apps, remote access and more because it’s a proven and simple way to minimize breaches.
Endpoint detection and response solutions (EDR)
EDR tools monitor endpoints for suspicious behaviour, detect threats and quickly contain attacks. Insurers require EDR because it reduces the impact of a breach by stopping attacks before they spread widely.
Secure and offline backups
These create a safe and available copy of critical data and systems for municipalities. Insurers mandate secure, offline backups because having these accessible can limit business interruption and extortion risk in the event of a cyberattack.
Network segmentation
This divides networks into isolated zones with strict access controls. Insurers require network segmentation because it limits lateral movement, helping to contain breaches to small segments, thus minimizing the potential severity of a cyberattack.
Privileged access management
This governs who can perform powerful actions, for how long, and under what approvals, with full session evidence. Insurers require privileged access management as it can sharply reduce ransomware impact, data theft and operational downtime.
Continuous staff training
Human error is the biggest risk when it comes to cyberattacks. That’s why insurers insist on regular staff training as educated employees are more like to catch a phishing attempt and report anomalies, which helps to minimize the severity of a breach.
A tested incident response plan
defined and regularly rehearsed response plan outlines who does what, when and how in the event of a cyberattack. Insurers mandate this because a coordinated response can minimize the spread of a breach and speed up recovery.
The above list provides a high-level overview of the minimally required cyber controls that insurers now expect. Local government should work with an Acera Insurance advisor to determine their cyber insurance needs and to clearly understand and action the cybersecurity measures that insurers require in exchange for coverage.
How can local governments invest against cybercrime?
Municipal governments have what cybercriminals want: Interconnected networks, data, cashflow and old technology.
When it comes to protecting municipalities from escalating cyber risks, cyber insurance and cybersecurity go hand-in-hand.
Cyber insurance provides a safety net for when an attack may breach cyber controls.
And established cybersecurity helps to minimize the risk and is also required to obtain cyber insurance — and to get a claim paid, as evident from the City of Hamilton case study above.
One without the other leaves local governments vulnerable to a cyberattack.
As cybercrime continues to escalate and evolve, municipal financial leaders must prioritize investing in proven risk mitigation measures that can thwart breaches that cause financial, reputational and legal fallout.
FAQs: What municipal finance leaders need to know about cyber risk, required controls and insurability
Acera Insurance’s Daniel Tassoni answers three questions about cyber maturity for municipal financial leaders.
Essential services like water, transit, permitting and emergency services now rely on operational technology (OT) and Internet of Things (IoT) systems. This means cybersecurity can no longer be treated as solely an IT problem. Failure to incorporate cybersecurity as core infrastructure could result in operational, legal and financial risks and disrupt critical services in the event of a successful attack.
When it comes to funding cybersecurity, municipal financial leaders must think beyond a percentage of their IT budget. Instead, municipalities need to factor in how much it costs to cover people, processes, tools, training, incident response and cyber insurance to determine the true cost of adequate cybersecurity.
Cyber insurance should be treated as a critical component of your municipality’s risk management strategy — not as a substitute for cybersecurity controls. Insurers are increasingly requiring proof of multi-factor authentication, secure and online backups, privileged access management and staff training as prerequisites to obtain and maintain coverage. These cyber controls can also help influence premium stability and market appetite.
Share this article
Get weekly tips to protect your business!
Subscribe to our LinkedIn Newsletter. Our advisors’ insights will help you Be Risk Ready.
Daniel Tassoni, Senior Client Executive and Municipal Team Lead, brings nearly 10 years of insurance and risk management experience along with specialized expertise serving municipal governments. Connect with Daniel at daniel.tassoni@acera.caor 250.869.6082.
Related reading:
- Operational technology cyber risk facing Canadian businesses
- Adapting employee benefits for the millennial generation
- How wealthy Canadians can protect their reputation online
Information and services provided by Acera Insurance, Acera Benefits and any other tradename and/or subsidiary or affiliate of Acera Insurance Services Ltd. (“Acera”), should not be considered legal, tax, or financial advice. While we strive to provide accurate and up-to-date information, we recommend consulting a qualified financial planner, lawyer, accountant, tax advisor or other professional for advice specific to your situation. Tax, employment, pension, disability and investment laws and regulations vary by jurisdiction and are subject to change. Acera is not responsible for any decisions made based on the information provided.
Get a quote.
Simply fill out a few details in our online form and one of our expert advisors will get your quote started.