Insurer denies coverage: Canadian City must pay $18.3 million for cyberattack

Hamilton faces full financial burden after devastating ransomware attack – Insurance company rejects claim due to missing two-factor authentication

The Canadian city of Hamilton is facing a costly bill: After a severe cyberattack in February 2024, taxpayers must cover the full costs of $18.3 million themselves. The city’s insurer denied the claim, citing that full two-factor authentication had not been implemented at the time of the attack.

Insurance coverage denied due to inadequate IT Security

As city councillors learned during a committee meeting on Wednesday, the insurance claim was rejected because the city’s insurance policy provides no coverage for losses where the absence of multi-factor authentication was the root cause of the cyber breach. “I understand why Hamiltonians are frustrated — this was a serious and costly breach,” Mayor Andrea Horwath said in a news release Wednesday. “We expect our public systems to be strong, secure, and dependable. This incident highlights that the city fell short of that standard — and we’re not okay with that.”

Attackers demanded $18.5 million ransom

On February 25, 2024, Hamilton experienced a cyberattack that disabled roughly 80 percent of its network. Services like business licence processing, property tax, transit planning and finance and procurement systems were impacted for weeks. Some systems were unrecoverable, the city said, including permit applications and licensing, fire department records management and traffic signal system management.

The attackers launched a complex ransomware attack through an external internet-facing server. After covertly studying the city’s systems, they encrypted systems and data to render them unusable and attempted — but failed — to destroy all the city’s backups. The attackers demanded a ransom of roughly $18.5 million in exchange for a decryption tool to unscramble the city’s data.

City categorically refused ransom payment

Hamilton refused to pay the ransom, adding it contained the incident within two days and managed to provide critical services throughout. “Paying the ransom would have increased the City’s risk and financial exposure,” the city said in the news release, saying technical advisers added decryption tools from cybercriminals are very often unreliable. “Even with a working tool, safe restoration would have taken significant time and money. Additionally, paying ransom funds could fuel future cybercrime and support international organized crime and terrorist organizations.”

$18.3 million spent on emergency response and system recovery

Mike Zegarac, general manager of finance and corporate services, told councillors on Wednesday the city would have to incur costs regardless of whether it had paid the ransom. To date, the city has spent $18.3 million on immediate response, system recovery and third-party expert support. Of the $18.3 million, $14 million has been spent on external experts who have helped the city’s response, redesign and future strategies.

Sharp criticism of inadequate cybersecurity strategy

At the general issues committee meeting Wednesday, Ward 2 Coun. Cameron Kroetsch took issue with the “looseness” of Hamilton’s cyber strategy. “There weren’t protocols in place for many parts of the city, including how we connected to devices … and there was virtually no training provided whatsoever to councillors with respect to what to do here,” he said. “This didn’t happen due to councillors’ negligence of any kind, or councils for that matter. But there have been several reports I’ve monitored outside of being an elected official where I saw recommendations being made to address this, and the investments not being made to pick up with those for whatever reason … we knew we had these problems with place … this has to be taken more seriously.”

Ward 9 Coun. Brad Clark said he found it “very frustrating” that multi-factor authentication wasn’t put in place years ago after learning from a staff member at the meeting that Hamilton’s insurance company sought it in late 2022. “The city had full knowledge we were not compliant with the exclusion in 2023,” he said. “How does council find out it wasn’t done if staff doesn’t share it with us? I find it immensely frustrating there has been zero accountability on this; this chamber, we’ll be held accountable in a year and a bit; front bench and all the staff, no accountability for this incident. I can’t explain that to my residents.”

Learning from the incident

When its claim was denied, the city obtained a third-party review of the decision and did not pursue further legal action as it learned the insurer’s action was based on coverage terms. The city has since said it has enhanced its cyber controls and renewed its insurance coverage.

In her statement, Horwath said Hamilton will learn from the incident. “We acted swiftly, and we’re moving forward with focus and determination. This is also a clear and indisputable reminder that timely investments in public infrastructure help prevent far more costly reactive responses down the line,” she said. “The City of Hamilton is rebuilding with resilience and future-proofing in mind, while strengthening our systems, improving protections, and ensuring better service and safeguards for our entire community.”