August 4, 2021
Need to Assess Tech in Public Risk Pools
by Lee Mashore
The ransomware wave is a learning moment for public entity risk pools that have been trying to define a path to digital maturity.
With more than 90,000 public entities in the U.S., the Association of Governmental Risk Pools (AGRiP) estimates that at least 80% participate in one or more pools. By pooling their risk—and accountability– these not-for-profit organizations can economically provide risk management and loss control, underwriting, claims management and a comprehensive package of insurance coverages that typically includes property, casualty and workers’ compensation. This effort supports a pool’s #1 priority: the co-owners of the pool—its members. These members hail from local and state municipalities, including entire fleets of first responders (fire, police), public utilities, school districts, etc., government-run hospitals, public libraries, community colleges, support staff and more. Accordingly, the typical pool must ensure its technology systems can reliably support the needs of its members.
Ensuring uptime is paramount. During COVID, pools — like most private or corporate sector organizations — were forced to adjust how they worked, many prioritizing their IT wish list to maintain operational performance and resiliency. But, unlike most organizations, pools are restrained by outdated legacy systems and a limited, fixed budget. As a result, that wish list remains a wish, not a reality.
Undoubtedly, budget concerns are one of many issues facing pools: Often, these organizations don’t have a large IT staff and are forced to maintain operations “the way it’s always been done,” cobbling along in the hopes that risks will be minimal. In actuality, the risks facing these organizations are at an all-time maximum.
This conundrum is complicated by the fact that most pools rely on antiquated databases and Microsoft Office products for the bulk of their day-to-day operations. At a minimum, this reliance opens the door to Outlook phishing, making the pool more vulnerable to cyber criminals. Many may use Excel or other inexpensive spreadsheet programs that make it difficult to access data and almost impossible to regroup on errors. Imagine the time required to backtrack, inspect various versions of the spreadsheet’s values, calculations, source data and file history to correct the error, wreaking havoc with routine financial or regulatory reporting. Some pools use insurance core system software that, with the exception of claims, includes workflows that don’t necessarily match with the pool’s own protocols.
If all this doesn’t spur you to think differently about how technology is managed, consider the largest, most recent risk affecting pools: ransomware. Public entities are one of the most targeted sectors yet often have the fewest resources and capabilities to prepare for and respond to ransomware attacks. Consider that 2,400 U.S.-based governments, health-care facilities and schools were victims of ransomware in 2020, according to Council on Foreign Relations blogger Michael Garcia. In 2020, cyberattacks cost government organizations in the U.S. approximately $18.88 billion in downtime and recovery costs, according to a report from consumer tech information company Comparitech. And local governments continue to experience the greatest number of ransomware attacks, according to security company Blackfog.
SH: Foundation a Critical Asset
Yes, ransomware is a network issue, and, with ever-evolving ransomware keys and infiltration methods, there’s no way to prevent an attack with 100% certainty. But the rise in cybercrime is spurring pools across the country to wake up to the fact that it’s the pool’s technology foundation that enables them to best respond to their individual public entity members, which makes that foundation more valuable than ever. Without a unifying approach to IT management that includes modernization, pools will continue to struggle to operate efficiently, much less deter, disrupt, prepare for and respond to ransomware events.
See also: Why Open Insurance Is the Future
Let’s revisit the statement about pools and their fixed budgets. As pools work with members on their annual loss control programs, they ask: What is the cost of not modernizing systems that are used to make city payroll, keep utilities up and running, communicate with first responders and even save lives? If nothing else, the latest wave of ransomware is a learning moment for pools that have been trying to define a path to digital maturity.
That path, which can be undertaken by pools of all sizes, begins by conducting a basic technology assessment, which can be used to identify both known and unknown risks, issues that affect data access, workflow, operational performance and resiliency, network and systems’ vulnerabilities, mobility and, of course, security.
The good news is that pools that have undertaken tech assessments are finding that their legacy systems can stay put—there are inexpensive ways to modernize and drive immediate front-end results without an overwhelming rip/replace approach. And, there are solutions available that can facilitate a stepped approach to evaluating protocols, optimizing processes, enhancing workflows and improving services.
Let’s face it: Whether in it for a profit or not, pools want to reduce operational costs, increase policyholder/member satisfaction, offer systems that are attractive to younger IT workers and form a solid and secure foundation for the future.
Recent events tell us that it’s no longer an option to “just get by” or “wait and see.” The choice pools face today is a calculated one, and it’s important to recognize that their goal—to attain effective integrated risk management–is only as powerful as the technology foundation that supports it.