State of the Market: Public Entities

In 2021, public entities navigated an ongoing hard market cycle, as a global pandemic, civil unrest and natural catastrophes drove rate increases, restrictive terms and reduced capacity. Over the past several years, the insurance market for public entities experienced a significant loss of carriers, as new exposures and increased claim settlements drove away insurers. Amid turbulent market conditions, public entities should prepare for increased stringency and fewer opportunities for coverage this renewal season.

Through 2020 and 2021, the COVID-19 pandemic, secondary catastrophe (CAT) perils, and social inflation related to civil unrest, anti-institutional politics and racial tensions spurred premium increases and diminished capacity in the public entities space. All these concerns are ongoing, and they remain at the top of carriers’ minds this renewal period. This year, amid several high-profile claim settlements, two risk categories – cybersecurity and sexual assault and molestation (SAM) – deserve special attention. As the insurance market continues to experience an exodus of carriers, public entities should leverage the expertise of risk control consultants to reduce their exposure.

Cybersecurity

The growing frequency and severity of cybersecurity threats fuels higher premiums, rising deductibles and increased scrutiny in the public entities market.

<div className="float-left"> ![Team working on cybersecurity](https://res.cloudinary.com/pomsassoc/image/upload/c_fill,w_200/v1650993201/cybersecurity-image01.jpg) </div>

Overview

Last year, the cost and frequency of cyber events rose, with the average cost of a data breach reaching $4.24 million, a 9.84 percent year-over-year increase and 17-year high. The volume of cybersecurity breaches in the United States reached 2,932, a 10 percent year-over-year increase and all-time high. [^1] Across industries, carriers took steps to solidify loss ratios for cyber liability coverage. Early projections suggest premiums may rise 30 to 150 percent this renewal season, with large increases in retentions and deductibles. Many carriers will exit the market for lower-performing industry classes, like public entities, reducing entities’ renewal options. [^2] Smaller entities may find cyber coverage difficult or impossible to secure. Public entities with strong security protocols, defensive AI and a zero-trust approach may see lower premium increases and more favorable renewal terms.

Most Common Cyber Claims

  • Ransomware attacks
  • Ransomware as a service (RaaS)
  • Double extortion
  • Triple extortion
  • Business email compromise & social engineering
  • Hacking & malware attacks

Emerging Risks

The shift to remote work in 2020 ushered in a new wave of cyber threats, as cybercriminals targeted the vulnerabilities of wireless and poorly secured home systems and technology. The use of personal computing devices for remote work made business email compromise (BEC) a major emerging risk category for insurers. 43% of organizations reported a cybersecurity breach in 2021, with 39% reporting weekly BEC threats. 51% of organizations reported a noticeable increase in spear phishing emails, the largest category of BEC threats. Only 69% of respondents trusted their organization’s capacity to manage cyber threats.

69%: Percentage of Respondents Who Trust Their Organizations’ Cybersecurity Protocols [^3]
<div className="float-left"> ![Padlock superimposed on a circuitboard](https://res.cloudinary.com/pomsassoc/image/upload/c_fill,w_200/v1650993198/cybersecurity-image02.jpg) </div>

Ransomware attacks remain the largest risk category for public entities. Between 2017 and 2020, public entities across the United States made an average of $125,697 in ransom payments to cyber criminals. In 2021, ransomware attacks impacted a total of 2,323 local governments, schools and healthcare providers, causing at least 118 major data breaches. The total cost to local governments and agencies, 77 of which were impacted, was $623,700,000. Data was stolen in at least 44 of the 88 successful ransomware attacks on school districts, colleges and universities, resulting in sensitive employee and student information being released online. The cost of ransomware attacks on healthcare providers, including hospitals and multi-hospital health systems, was especially high. Scripps Health, the victim of a major data breach, estimated the cost of its attack at $112.7 million.

$623.7 Million: Total Cost of Ransomware Attacks to Local Governments & Agencies [^4]
<div className="float-left"> ![digital Global map](https://res.cloudinary.com/pomsassoc/image/upload/c_fill,w_200/v1650993203/cybersecurity-image03.jpg) </div>

Foreign security concerns, like the Russia-Ukraine war, are increasing the threat of state-sponsored cyber attacks on the U.S. public sector. According to the Office of the Director of National Intelligence, Russia continues to target critical infrastructure in the United States’ public sector, including recent cyber attacks against the SolarWinds software supply chain, COVID-19 vaccine development and the industrial control system. As recently as December 2021, Chinese hackers breached four U.S. defense and technology firms, intercepting the organizations’ sensitive communications. In recent years, the public sector’s growing susceptibility to state-sponsored cyber attacks precipitated a renewed effort from the Department of Justice to investigate and prosecute foreign hacking campaigns.

“Russia continues to target critical infrastructure in the United States and in allied and partner countries.” – 2021 Annual Threat Assessment, the U.S. Office of the Director of National Intelligence [^5]

In 2021, high-profile cyber attacks on the nation’s supply chain raised concerns about systemic and aggregate risk events. Carriers expressed growing apprehension about policyholders’ exposure to unknown networks and systems. Going forward, underwriters are likely to investigate vendor management, supplier systems, and organizations’ reliance on cloud-based applications and infrastructure with greater scrutiny.

Impact on Insurance Coverage and Pricing

Across industries, expect premiums for cyber liability coverage to rise 30 to 150 percent. For lower-performing industry classes – and public entities, especially – cost increases may be even higher. Larger public entities (>$100 million in annual operating budgets) will pay significantly higher premiums while assuming more restrictive coverage grants. Smaller public entities may struggle to find insurance coverage at any price point.

The cost of cyber insurance rose 300% this year for the Local Government Insurance Trust, a member-owned association offering pooled insurance to 191 Maryland municipalities. [^6]
<div className="float-left"> ![digital pad lock](https://res.cloudinary.com/pomsassoc/image/upload/c_fill,w_200/v1650993202/cybersecurity-image04.jpg) </div>

As carriers exit the public entities market, the combination of reduced capacity and rising premiums creates a predictable result: while the need for cyber liability coverage grows, the affordability of coverage falls. In 2021, 69% of local governments reported steep increases in their cyber insurance premiums. Despite premium growth, the number of public entities adding cyber insurance continues to rise. Public entities recognize that the cost of insurance, while high, protects against the considerably higher cost of a ransomware attack or data breach.

In addition to price increases, many public entities report declining limits on coverage. For one public entities pool, the Missouri Municipal Trust, the available limit for cyber liability coverage dropped from $1 million to $250,000, with deductibles rising from $5,000 to $25,000. Some carriers now exclude ransom payments from their cyber coverage, reducing entities’ protection against ransomware attacks. Other event-or-exploit-specific exclusions may be found in renewal conditions. This is consistent with cyber insurance trends across industries: as prices increase, coverage declines. Ahead of renewals, many carriers are requiring outward-facing network infrastructure scans of public entities’ security systems, ensuring proper configurations of Remote Desktop Protocols (RDP) and secure email gateways. Many plans require public entities to institute multifactor authentication (MFA) systems, and organizations without MFA protections struggling to secure coverage altogether. Generally, there is an expectation from carriers that public entities demonstrate advanced security protocols for their IT systems before qualifying for cyber insurance coverage. This may include a security audit, evaluating entities’ employee training, artificial intelligence (AI) security systems and software updates.

Risk and Cost Reduction

To mitigate risk and cost increases, public entities should take steps to improve their network security. Public entities with active de-risking procedures to reduce exposure to large-scale events see fewer cost increases and coverage reductions during renewal.

To reduce both risks and costs, public entities should:

  • Mandate regular cybersecurity training for employees.
  • Regularly back up computer systems.
  • Limit administrative access.
  • Purchase and install an artificial intelligence security software.
  • Take a zero-trust approach to cybersecurity.
  • Implement an endpoint protection solution.
  • Implement multifactor authentication.
  • Conduct regular audits of your cybersecurity systems and software.

Sexual Assault and Molestation

<div className="float-left"> ![digital pad lock](https://res.cloudinary.com/pomsassoc/image/upload/c_fill,w_200/v1650993212/sexual-harassment-image01.jpg) </div>

As state legislatures amend the statute of limitations for child sexual abuse, public entities’ exposure to sexual assault and molestation (SAM) claims grows, fueling higher premiums and reduced capacity.

Overview

Over the last two decades, 80% of state legislatures amended their laws to extend or eliminate the statute of limitations on child sexual abuse. Public entities with exposure to underage and vulnerable populations – school districts, in particular – face growing exposure to sexual abuse and molestation (SAM) claims, many of which are disproportionately costly. As legal costs and settlements in SAM cases skyrocket, the insurance market is seeing an overall reduction in capacity; an increase in abuse and molestation exclusions; the restructuring of liability programs; and new mandates for higher self-insured retentions. As public entities struggle to secure comprehensive SAM coverage, many are resorting to alternative risk financing options. Going forward, public entities should consider restructuring their liability programs to anticipate declining coverage and rising costs.

80% of states have extended or eliminated the statute of limitations on child sexual abuse. [^7]

Most Common SAM Claims Against Public Entities:

  • Negligent employment, supervision, investigation, hiring or training
  • Failure to protect the victim, maintain a safe premise
  • Bodily injury
  • Intentional infliction of severe emotional distress
  • Reckless indifference
  • Assault and/or battery
  • Vicarious liability and others

Cost and Incidence of SAM Claims

Sexual abuse and molestation continues to represent a small proportion of total claims in the public sector. For school pools in California, for example, SAM made up less than two percent of 14,000 claim occurrences over the last decade. These claims remain a significant concern for carriers; despite their low frequency, the cost of SAM claims is disproportionately high. As state legislatures introduce look-back windows, reviver legislation and extended statutes of limitation, many carriers’ appetite for risk, particularly in the public entities space, is declining. As carriers limit their exposure to high-cost SAM settlements, a corresponding rise in premiums and reduction in capacity is anticipated.

As the cost of SAM claims rises, many carriers’ appetite for risk is declining. [^8]
<div className="float-left"> !["stop sexual harassment" 100 times on a chalkboard](https://res.cloudinary.com/pomsassoc/image/upload/c_fill,w_200/v1650993212/sexual-harassment-image02.jpg) </div>

In the same California school pools, sexual abuse and molestation accounted for 40% of claim costs in excess of $1 million. With an average of $1.5 million in total incurred value per claimant, the per-capita financial costs of SAM claims dwarfed that of any other major claim category. This includes the significant legal fees and litigation expenses incurred by organizations defending against SAM claims.

Given the nature of SAM, remediation costs are not purely financial. Organizations must navigate the emotions, reputational damage and staffing changes precipitated by these claims. Even if the legal system rules in favor of an organization, the reputational damage, operational disruptions and loss of revenue incurred can lead to bankruptcy.

The reputational damage incurred by SAM claims can lead to bankruptcy. [^9]

High-Profile SAM Cases

<div className="float-left"> ![woman motioning the gesture to stop](https://res.cloudinary.com/pomsassoc/image/upload/c_fill,w_200/v1650993211/sexual-harassment-image04.jpg) </div>

Several recent high-profile SAM claims heightened public entities’, insurance carriers’ and governments’ awareness of growing exposure to SAM-related nuclear verdicts. Consider the following examples:

  • Michigan State University’s $500 million settlement with victims of Larry Nassar, a former gymnastics physician found guilty of sexually abusing minors entrusted in his care.
  • University of Southern California’s $852 million settlement with the more than seven women who suffered sexual abuse during appointments with the university’s on-staff gynecologist.
  • University of California’s $73 million settlement over a similar gynecological abuse incident.
  • Boy Scouts of America filing for bankruptcy amid 200 SAM lawsuits and 1700 claimants pending in state and federal district courts.

Impact on Insurance Coverage and Pricing

As the broadening of statutes continues, so will the hard market cycle. Public entities should prepare for significant rate increases and restricted terms. Many carriers are removing abuse coverage from their general liability policy, and monoline sexual abuse and molestation coverage is increasingly difficult to find. With an increase in the frequency and severity of claims, public entities should expect many carriers to severely sublimit coverage.

Public entities should prepare for significant rate increases and restricted terms. [^10]

SAM coverage often falls under a pool’s general liability plan, subject to the same limits as all other categories of liability coverage. Coverage provided by a pool generally has exclusions for intentional acts by an alleged abuser that resulted in bodily injury or property damage. This should provide some protection, regardless of a liability policy’s specific abuse or molestation exclusions. Intentional acts exclusions do not necessarily apply to negligent hiring or supervision of an employee alleged to have committed sexual abuse or molestation. Defense and indemnification may be required during the settlement process.

Carriers are struggling to underwrite SAM pricing in the current climate, as the length of reporting periods continues to grow. Claims that used to be in the single-digit, million-dollar arena are quickly becoming double-digit million or billion-dollar verdicts. These payouts can bankrupt public entities, whose budgets are already severely strained by insurance spending.

Claims that used to be in the million-dollar arena are quickly becoming billion-dollar verdicts. [^11]

Some carriers are only offering coverage on a claims-made basis, a form of reinsurance under which the date of the claim report is deemed to be the date of the loss event. If the claim occurs outside the ‘claims-made’ policy year, the insurer is not liable for losses. Generally, higher premiums, higher retentions and sublimits for SAM claims should be expected for public entity pools.

Risk and Cost Reduction

To mitigate cost and risk increases, public entities should seek liability risk-management services, with capabilities including broad abuse coverage, bullying, specialty coverage and employee training programs. To reduce both risks and costs, public entities should:

  • Review old, time-barred claims to identify potential former victims of SAM.
  • Implement policies to prevent employees from engaging in secluded one-on-one interactions with children or vulnerable adults.
  • Conduct strict background checks on all employees and volunteers.
  • Update reporting and documentation protocols for suspected sexual abuse and molestation.
  • Communicate sexual abuse warning signs to employees.
  • Conduct age-appropriate boundary training for all employees.
  • Review facilities for open visibility to minimize opportunity for sexual offenders.
  • Policies to ensure safe transit of children and vulnerable adults, to and from the public entity’s facilities.

Ongoing Market Drivers in the Public Entities Space

Law Enforcement

For several years, highly scrutinized police shootings of unarmed civilians; emerging movements to defund and abolish the police; and the increasingly contentious political discourse around policing have driven increased scrutiny of law enforcement claims. Across the board, coverage for law enforcement has tightened, limiting public entities that manage local police departments and law enforcement outfits’ access to comprehensive insurance.

Across the board, coverage for law enforcement has tightened. [^12]
<div className="float-left"> ![Coronavirus](https://res.cloudinary.com/pomsassoc/image/upload/c_fill,w_200/v1650993205/public-entities-image01.jpg) </div>

The increased use of cameras and video recording equipment contributes to the growing frequency and severity of law enforcement liability claims. The viral nature of video-captured police-civilian interactions increases public scrutiny, occasionally leading to outsized insurance settlements in cases of alleged police misconduct.

COVID-19 Pandemic

Carriers can expect the impact of COVID-19 on public entities to ease in the coming months, as the incidence and severity of the virus continue to decline. Going forward, the primary vulnerability for public entities is the return to in-person work, as entities debate vaccine mandates for government employees. Additional lawsuits may be filed by employees who contract the virus at the office, after being required by their employer to end their work from home.

The Public Readiness and Emergency Preparedness Act remains a strong protection for public entities against COVID-19 claims. [^13]
<div className="float-left"> ![hurrican viewed from space](https://res.cloudinary.com/pomsassoc/image/upload/c_fill,w_200/v1650993209/public-entities-image02.jpg) </div>

The Public Readiness and Emergency Preparedness Act (PREP) provides immunity of liability to entities and individuals involved in the development, manufacturing, testing, distribution and/or administration of countermeasures against a present or credible threat to public health. Though PREP contains a statutory exception for willful misconduct, it remains a strong protection for public entities against COVID-19 claims.

Natural Disasters

2020 and 2021 brought extreme levels of natural catastrophe activity, with 22 events with insured losses in excess of one billion dollars, including 30 hurricanes, 17 wildfires and historic cold snaps in the southern United States. Though Q1 2022 saw a decline in secondary catastrophe peril, it remains a concern for public entities seeking property and auto liability coverage.

Since 1980, natural disasters have caused $5.2 trillion in property damage, more than 70% of which was uninsured. [^14]
<div className="float-left"> ![cracked road close up](https://res.cloudinary.com/pomsassoc/image/upload/c_fill,w_200/v1650993208/public-entities-image03.jpg) </div>

Since 1980, natural disasters have caused $5.2 trillion in property damage, more than 70% of which was uninsured. As the severity, frequency and size of catastrophic weather events grows, carriers are reevaluating their models for measuring natural disaster risk. For public entities in coastal areas or regions with a high susceptibility to hail storms, extreme wind and wildfires, comprehensive coverage may be difficult to secure at all. Expect a shrinking market and upward pricing pressure to continue through 2022.

Aging Infrastructure

One ongoing risk for public entities is aging infrastructure. Managing tight budgets, some entities forgo much-needed repairs to aging buildings, bridges and roads. Keeping up with inspection, maintenance, replacement and repair efforts is key to mitigating risk of property and liability settlements.

Aging infrastructure represents a significant risk category for public entities with tight budgets. [^15]

According to a study by the Federal Highway Administration and Federal Transit Administration, the nation’s transportation infrastructure is especially poorly maintained. Nearly 35% of the United States’ railways, 40% of stations, 24% of maintenance facilities and 17% of communications systems were found to be in poor condition. Half of America’s public-school buildings are more than 50 years old, and the overall condition of public school facilities received a D+ on the American Society of Civil Engineers’ 2017 infrastructure report card. Aging transit infrastructure is projected to cost public entities $340 billion in lost business sales between 2017 and 2023.

Conclusion

Across insurance categories, public entities with strong risk management protocols continued to see more favorable renewal rates and opportunities for comprehensive coverage. Public entities with high-risk exposure experienced significant losses, above average rate increases and difficulty securing coverage. Going forward, efforts to defend and train against cybersecurity threats and sexual assault and molestation will be especially impactful, as both risk categories project to be significant market drivers through 2022.

Developments in the public entity insurance market reaffirmed Poms & Associates’ commitment to effective and efficient risk management. Knowledge and preemptive risk control remain the best insurance solutions, guarding clients from rising premiums, market volatility and emerging technical and social risks. As the preeminent risk management organization in commercial insurance, Poms & Associates’ brokers are equipped to address clients’ specific needs and liabilities, regardless of their loss or coverage history. Amid deteriorating market conditions and rising risk exposure, Poms & Associates’ risk management solutions remain the key to affordable and expansive insurance coverage options.

To learn more about the steps your organization can take to protect against emerging risks and liabilities, request a free consultation with Poms & Associates’ risk-management experts at www.pomsassoc.com.

[^1]: “Cost of a Data Breach Report 2021.” IBM, IBM, 2021. [^2]: Overman, Olivia. “From Cybercrime to Sexual Molestation, Risks Facing Public Entities Increases.” Home, Independent Insurance Agents & Brokers of America, Inc., 26 July 2021. [^3]: “Cost of a Data Breach Report 2021.” IBM, IBM, 2021. [^4]: “Cost of a Data Breach Report 2021.” IBM, IBM, 2021. [^5]: 2021 Annual Threat Assessment. U.S. Office of the Director of National Intelligence, 2021. [^6]: Noble, Andrea. “Cyber Insurance for Local Governments Costs More, Covers Less.” Route Fifty, Route Fifty, 16 Nov. 2021. [^7]: “Statute of Limitations Changes Cast a Shadow on Public Entities.” Amwins. [^8]: “Liability Policies: Understanding How Abuse and Molestation Exclusions Impact Insurance Coverage.” Amwins. [^9]: “Liability Policies: Understanding How Abuse and Molestation Exclusions Impact Insurance Coverage.” Amwins. [^10]: Demberger , Autumn. “Why Recent Legal Standards Are Driving Public Schools to Tackle Sexual Abuse and Molestation Claims Head On.” Risk & Insurance, 10 June 2021. [^11]: Bowlus, Craig. “Sexual abuse and molestation claims in the public sector.” Intelligence, AGRiP, 2018. [^12]: Re, Munich. “Property and Casualty Market Trends Impacting Public Entities - and How to Keep Your Risk Mitigation Efforts Current.” Risk & Insurance, 14 Oct. 2021. [^13]: Person. “State of the Public Entity Marketplace Update: Risk Placement Services.” RPSIns, RPSIns, 25 Oct. 2021 [^14]: Re, Munich. “Property and Casualty Market Trends Impacting Public Entities - and How to Keep Your Risk Mitigation Efforts Current.” Risk & Insurance, 14 Oct. 2021. [^15]: Re, Munich. “Property and Casualty Market Trends Impacting Public Entities - and How to Keep Your Risk Mitigation Efforts Current.” Risk & Insurance, 14 Oct. 2021.