The Transaction Costs of Municipal Cyber Risk Management

Cities of all sizes are vulnerable to a range of cyberattacks, including data breaches, financial theft, ransomware, and denial-of-service attacks. Yet the capacity of cities to prepare for and respond to cyber threats varies widely, and city governments often struggle to understand the resources required to defend their digital resources.

A new white paper from the UC Berkeley Center for Long-Term Cybersecurity, The Transaction Costs of Municipal Cyber Risk Management, brings to light the transaction costs associated with municipal cyber risk management, including the costs of searching for information, coordination between parties, drawing up and enforcing contracts, negotiation, inventory and monitoring, and compliance and enforcement. These costs are not always factored into the “sticker price” for cybersecurity products and services, but they should be taken into account by cities seeking to allocate resources toward their digital defense.

The paper was authored by Rowland Herbert-Faulkner, a PhD Candidate in the Department of City and Regional Planning at UC Berkeley whose dissertation research focuses on technology governance at the municipal and regional scales. “When [transaction] costs are unaccounted for, decision-makers find themselves surprised and unprepared, leading to changes in administrative activities and cost overruns not captured by the initial resource allocations,” Faulkner writes. “The guidance and resources provided to city governments by the private sector and federal and state governments are unequivocally essential, but local governments will benefit from knowing what expenditures—especially temporal and financial expenditures—are required to access and leverage cyber risk management resources across all timescales.”

The paper details how cities have become increasingly vulnerable to costly cyberattacks. For example, in 2018, a cyberattack cost the city of Atlanta $17 million for response, recovery, and remediation. In 2019, a ransomware attack cost the city of Baltimore $5.3 million to respond, in addition to over $14 million in lost revenue because of compromised payment collection systems. And in 2023, the hacker group Play Ransomware leaked 10 gigabytes of data that they had stolen from the city of Oakland, California. “Despite the increased media coverage of such attacks, not all cyber incidents are detected, and of those that are detected, not all are reported, a reality that underscores the magnitude of the cyber risk challenges local governments face,” Faulkner writes. “Legacy hardware and software, along with disparities in personnel risk awareness and capacity to preempt and respond to incidents, have left cities especially vulnerable to cybercrime. Further, municipalities cannot afford any downtime and must restore compromised services as quickly as possible following an attack.”

Faulkner used a variety of research methods to investigate the source, nature, magnitude, and timescale of the cybersecurity transaction costs that cities bear. He conducted semi-structured interviews with a range of professionals involved in different ways with cybersecurity for municipal governments, including municipal IT managers, insurance adjusters, executive search professionals, threat analysts, legal experts, CPAs, auditors, industry and academic researchers, cybersecurity program managers, and CIOs and CISOs. He also analyzed government and industry publications and media reports, and conducted a review of related cybersecurity scholarship. 

Among the key findings detailed in the report:

• The main sources of transaction costs in municipal cyber risk management include risk mitigation (including “self-insurance,” cyber hygiene, and administration and talent acquisition) and risk transfer (e.g., purchasing cyber insurance). Cyberattacks force cities to mitigate future risk through time- and resource-intensive coordination, procurement, and contracting efforts.
• Partnerships with the private sector and third-parties are essential, though they drive up transaction costs, especially in terms of contracts and negotiations. “There is no feasible governance arrangement in which municipalities can independently manage cyber risk,” Faulkner writes. “Managing cyberphysical systems at the municipal scale requires extensive contracting between public institutions and private firms; addressing product insecurities and the associated liabilities; federal, state, and local interagency coordination; and navigating dynamic political contexts. The transaction costs for these activities, while high, are unavoidable. However, creating uniformity and predictability for municipalities can lower transaction costs through standardized resource pools and contracting practices, improved device security, and reduced bureaucratic friction.”
• Municipalities are ill-positioned to transfer cyber risk because of insurer reluctance and product insecurity. Cities struggle to transfer cyber risk because of legacy systems, device insecurity, and extreme caution in the cyberinsurance market.

“This analysis of transaction costs in cyber risk management approaches available to municipalities offers insights into what are likely to be core elements of urban technology governance in the future: extensive contracting with private firms, assigning product liability, and interagency collaboration and coordination,” Faulkner writes. “Our work is timely; scholars, government officials, and industry experts have a magnifying glass on municipal cybersecurity challenges and are working in earnest to devise governance solutions that cities of all sizes can adopt. These efforts call attention to the future of urban governance in an increasingly digital world. This future will require intricate long-term relationships between the public sector, the private sector, and residents, with cybersecurity essential for the structural integrity of those relationships.”