Claims Service and Expertise

By Mark A. Sadler, JD, RPLU, CPLP, CIPP/US, CIPP/C

The Growing Threat in Public Sector Cybersecurity

Public sector cybersecurity is facing increasing pressure as public entities become prime targets for ransomware—malicious software that locks access to systems or data until a ransom is paid. The FBI defines ransomware as software that restricts access files or systems and demands payment for restoration. Threat Actors may also threaten to publish exfiltrated data in order to extort a ransom payment.  

Notable examples include:

• Atlanta (2018): Estimated recovery cost of $17 million
• Baltimore (2019): $19 million in losses and service disruptions

The average ransomware event costs $334,000, not including the operational impact on critical public services like 911, sanitation, and public transit.

Prevention and Preparedness in Public Sector Cybersecurity

The best defense against ransomware is a proactive public sector cybersecurity strategy. The Cybersecurity and Infrastructure Security Agency (CISA) offers a Ransomware Guide with best practices for hardening systems.

Key Steps

• Maintain secure, up-to-date backups
• Create a detailed incident response plan
• Engage legal and technical experts
• Report incidents to law enforcement (e.g., FBI's IC3)

Incident Response for Public Sector Cybersecurity

A strong response plan should include:

• Isolating infected systems
• Securing backups
• Conducting forensic analysis
• Notifying stakeholders
• Evaluating recovery options

While some experts may open dialogue with attackers to verify decryption capabilities, the FBI does not support paying ransoms. Payment does not guarantee data recovery and may encourage further attacks.

Legal and Regulatory Risks

Federal Sanctions

The U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) warns that ransom payments may violate sanctions laws if funds reach sanctioned entities or countries (OFAC, 2021). Violations can result in civil or criminal penalties—even if unintentional.

OFAC considers voluntary self-reporting and a strong compliance program as mitigating factors in enforcement decisions.

State-Level Restrictions

Several states prohibit public entities from paying ransoms:

• Florida: Prohibits ransom payments and mandates reporting within 12 hours of discovery (Fla. Stat. § 282.3186)
• North Carolina: Bans both payment and communication with attackers (N.C. Gen. Stat. § 143-800(a))
• Tennessee: Prohibits ransom payments by state entities and outlines reporting protocols (Tenn. Code Ann. § 4-1-423)
• Ohio: Prohibits payment of a ransom unless a legislative authority formally approves the action in a specific resolution or ordinance (Am. Sub. House Bill 96, effective September 28, 2025)

Take Action: Strengthen Your Public Sector Cybersecurity

Ransomware attacks are not just costly—they're disruptive to essential public services and legally complex. Public entities should consider the following to strengthen their cybersecurity posture:

• Review and update cybersecurity policies
• Train staff on incident response protocols
• Ensure legal and regulatory compliance

Being proactive is the most effective way to protect your organization, your data, and your community.

• Cyber Security

• Cyber Risk
• Loss Control