New Cyber Coverage Requirements & Available ARPA Funds Prompt Investment in Cybersecurity

December 3, 2021

By Alison Cline Earles, Senior Associate General Counsel CIPP/US GMA

Underwriting changes and likely availability of ARPA funds make the time ripe for cities to invest in “must have” cybersecurity measures. City leaders should review underwriting questionnaires with it and develop plans to implement missing information security measures.

Faced with ransomware and cyberattack risks, many cities depend on cyber coverage for financial protection and response services. Recently, carriers have overhauled underwriting requirements. Per Lockton, without the asterisked measures below, cities will be unable to purchase or renew cyber coverage. Moreover, coverage may be limited if the following “MUST HAVE” security controls are not in place.

  • Multifactor authentication*is in place for email, privileged accounts, and remote access.
  • Endpoint detection and response* has been deployed.
  • Offline, offsite, current backups of critical data are available and tested.*
  • Workers complete user training and regular phishing tests.
  • Sensitive data is encrypted.
  • City employs/contracts for a skilled security team.
  • City promptly updates and patches operating systems, applications, and firmware.
  • City maintains and tests an incident response plan.
  • A third party performs penetration tests of systems.
  • City segments its networks.


City leaders should use available ARPA funds. Treasury urges recipients to use State and Local Fiscal Recovery Funds (“SLFRF”) for eligible expenses: “Recipients can and should rely on the Interim Final Rule to determine whether uses of funds are eligible. Treasury encourages recipients to use funds. Funds used in a manner consistent with [the Rule]   will not be subject to recoupment.” SLFRF can be used for cybersecurity investments as follows:

  • If a city can document revenue losses attributable to the pandemic, for “government services,” including “modernization of cybersecurity, including hardware, software, and protection of critical infrastructure,” up to the amount of revenue lost.
  • For “cybersecurity needs to protect water or sewer infrastructure.”
  • For expenses incurred in response to the pandemic or its economic fallout. Assessing whether expenses are responsive requires the recipient to, “first, identify a need or negative impact [of the pandemic]. . . and, second, identify how the intervention addresses the identified need or impact.” A city implementing remote municipal courts, expanding telework, and promoting remote payments due to the pandemic might determine (with legal guidance) that related cybersecurity costs are eligible.
  • For legal opinions about expense eligibility.

This article was originally featured in the November/December 2021 edition of Georgia’s Cities Magazine.

Back to Listing