Risk Management for Smart Cities
Perhaps the largest looming risk in smart cities is the increase in systems that rely on connectivity. The last few years have shown us that public entities are not exempt from cybercrime. In fact, cities and municipalities seem to be prominent targets. Over 100 state and local governments were attacked by ransomware in 2019 alone,[1] with the damage ranging from a handful of employee computers to widespread loss of data and payment systems. The costs of these attacks also vary greatly from a couple hundred to tens of millions of dollars, with some cities opting to pay the criminals’ ransom demands and others racking up fees to recover data and rebuild systems.
In 2018, the city of Atlanta unfortunately became a prominent example of the damage these attacks can incur. The city no longer had the ability to use online payment systems and years of police dashcam footage was lost, some of which was earmarked as evidence in ongoing trials. One report estimated the cost at $17 million to rebuild and replace the systems that were lost and mitigate future vulnerabilities.[2] While this is certainly on the high end of prospective costs, it’s clear to see that even a fraction of this cost could seriously cripple a smaller municipality if not properly insured.
The cyberattacks to date have generally taken out rudimentary technology, yet they have created large disruptions. Now imagine a world where an attack halts all common payment systems, reprograms connected traffic signals, or disables automated shuttle routes. This could be catastrophic when it comes to business interruption, and it could also pose legitimate safety concerns for the commuters in the city.
The potential downsides of these technological advancements seem daunting, but keep in mind that resilience is forged through progress. The current success of cybercriminals can be partially attributed to a lack of preparation on the part of city planners and risk managers alike. Implementing new smart systems brings about the opportunity to reassess the current approach to cybersecurity and places a renewed importance on protecting the systems that run a city, as well as the residents who rely on them. For this reason, increasing the amount of connected things will not necessarily lead to a proportionate increase in exposure and insurance costs, due to the offsetting nature of better cyber protection.
As cities become smarter, forming a risk management plan that focuses on risk avoidance, mitigation, transfer, and tolerance will become more challenging. The focus should not be on finding that perfect balance, but rather having a well thought out plan in the first place. Risk managers should be brought to the table as cities look to become smarter. The allocation of resources to preventive versus reactive measures needs to be discussed collaboratively to provide the utmost risk management flexibility.
“Smart cities” will need “smart” risk managers, which is why risk management collaboration should not end there. Determining the amount of risk to insure and self-insure will be difficult without the expertise of brokers, actuaries, IT professionals, and other risk managers, not to mention the engineers developing and testing this smart technology. Continue to seek opportunities to educate yourself on these emerging risks and build your risk management strategies today as your city plans for tomorrow.
[1] Recorded Future (December 20, 2019). State and Local Government Ransomware Attacks Surpass 100 for 2019. Retrieved October 5, 2021, from https://www.recordedfuture.com/state-local-government-ransomware-attacks-2019/.
[2] Deere, S. (August 1, 2018). Confidential Report: Atlanta’s cyber attack could cost taxpayers $17 million. Atlanta Journal-Constitution. Retrieved October 5, 2021, from https://www.ajc.com/news/confidential-report-atlanta-cyber-attack-could-hit-million/GAljmndAF3EQdVWlMcXS0K/.
*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*
By: Drew Groth, ACAS, MAAA
Associate Actuary, Milliman
Drew is an associate actuary in the Milliman Milwaukee office with expertise in predictive modeling, ratemaking and loss reserving. He has experience in varying lines of business including workers' compensation, personal lines and commercial auto, with clients ranging from self-insured corporations to large insurance providers. Drew also has experience working on projects with start-up companies where out of the box thinking is required to craft customized solutions. Through his diverse experience at Milliman, he has developed a passion for autonomous vehicle technology with respect to risk management and insurance, especially as it concerns commercial uses.
By: Jonathan Riehl, PhD, PE
Transportation Systems Engineer, University of Wisconsin-Madison
Jon is a transportation systems engineer in the Traffic Operations and Safety Lab at the University of Wisconsin-Madison and helps manage the Wisconsin Automated Vehicle Proving Grounds, including the Park Street Connected Corridor and the automated shuttle program. His work responsibilities include research in transportation systems management and operations (TSM & O), connected and automated vehicles and geographic information systems (GIS), and teaching. Jon holds a PhD in civil engineering from Michigan Tech and has master’s degrees in electrical engineering, geography, and business.