Hamilton taxpayers are on the hook for more than $18 million in cyberattack recovery spending after the city’s insurance claim was denied because they failed to follow the proper policy requirements.
A new report recently brought forward to City Council says that following the cyberattack the city completed a third-party forensic analysis and submitted a claim to its cyber insurance provider. However, the claim was denied.
It turns out that the city had not fully implemented multi-factor authentication, a basic security process that requires users to provide at least two forms of identity verification to access an account or device.
Since the absence of multi-factor authentication was reportedly the root cause of the breach, according to the policy, no coverage is available for any of the resulting losses.
Once the claim was denied, the city decided to retain coverage legal counsel to examine whether or not the denial was justified.
The legal review confirmed what the insurer had already told the city – that the City of Hamilton had failed to follow policy terms at the time of the cyberattack.
The report continues, “Based on the outcome of the third-party assessment, the city did not pursue further legal action for claims denial against its insurer.”
The report says that since then, the city has implemented “enhanced cyber controls and submitted a detailed application for cyber insurance renewal. As a result, the city successfully renewed its cybersecurity insurance coverage.”
The city also retained Deloitte Canada LLC to conduct a detailed assessment and “develop a cyber resilience roadmap.”
City of Hamilton Mayor Andrea Horwath commented on the update, saying, “I understand why Hamiltonians are frustrated – this was a serious and costly breach.”
“We expect our public systems to be strong, secure, and dependable. This incident highlights that the city fell short of that standard.”
However, she says that the city “acted swiftly” and is “moving forward with focus and determination.”
It was also revealed that cybercriminals demanded a ransom payment of approximately $18.5 million after gaining unauthorized access to an external internet-facing system.
The city opted not to pay the ransom based on advice from CYPFER, the cybersecurity company that the city retained.
CYPFER outlined to the city that there are risks with paying the ransom in a cybersecurity incident, including potential limited effectiveness of promised decryption tools, the high possibility of repeat extortion, and legal and ethical concerns.
Declining to pay the ransom was also consistent with law enforcement and government guidance.
Instead, the city restored systems from available backups and launched a “Build Back Better” initiative “to modernize legacy systems and prioritize technology upgrades.”
The cybercriminals reportedly attempted to destroy all of the city’s backups but failed.
The city contained the incident within two days and recovered the majority of systems from available backups.
Staff also re-emphasized that there remains no evidence that personal information was stolen.
Based in Hamilton, he reaches hundreds of thousands of people monthly on Facebook, Instagram, TikTok, and Twitter. He has been published in The Hamilton Spectator, Stoney Creek News, and Bay Observer. He has also been a segment host with Cable 14 Hamilton. In 2017, he received the Chancellor Full Tuition Scholarship from the University of Ottawa (BA, 2022). He has also received the Governor General’s Academic Medal. He formerly worked in a non-partisan role on Parliament Hill in Ottawa.
