On July 30, The Hamiltonian formally requested the following from the City:
A copy of the cyber insurance policy in effect at the time of the attack, along with the specific terms the insurer relied on in denying the claim. We asked: “Why was the claim denied, and what specific terms were not satisfied? How were those terms breached?”
We have since received the City’s response, which is provided in full below. But before presenting it, we offer these observations.
According to the City, the insurance claim was denied because multi-factor authentication (MFA)—a critical security measure—had not been fully deployed across all departments. This was a clear requirement of the insurance policy.
The City admits that this requirement was not met. Therefore, the insurer’s denial appears justified.
Let’s be frank: If a homeowner failed to install smoke detectors—despite it being a condition of their insurance—and their house burned down, the insurance company would rightly deny the claim. The loss would be devastating.
This situation is no different—except the scale of loss is exponentially larger. Millions in taxpayer dollars have been lost due to what can only be described as operational negligence. Where is the accountability?
Has anyone been fired for this critical oversight? If not, what exactly does the City mean when it speaks of “accountability”? Can public employees expose taxpayers to such significant financial consequences without consequence? What message does that send to staff, if they perceive there are no repercussions?
What message does that send to Hamilton residents, and what precedent does it set?
The City cannot undo what has already occurred. But it can show leadership now. Will any staff be removed for failing to implement basic cybersecurity protocols?
Hamiltonians deserve clear answers—and real accountability. Stay tuned...The Hamiltonian will be following up.
City of Hamilton Response (August 7, 2025):
“This was a highly sophisticated attack on an external, internet-facing server, gaining unauthorized access to the City of Hamilton systems. At the time of the February 2024 cyber attack, multi-factor authentication (MFA) was not fully deployed in every City department. The insurance policy in effect at the time stipulated that MFA had to be fully deployed across the organization.
If you would like a copy of the City’s cyber insurance policy in effect at the time of the cyber incident, a request through the Freedom of Information process would be necessary as this document is a contractual agreement with a third party. For more details related to Freedom of Information requests and to submit a request, please follow the link here.
The City is committed to the principles of openness, transparency and accountability in line with the protocols of the City’s Freedom of Information Office.”
\
No comments:
Post a Comment
Your comments are welcome. Please abide by the blog's policy on posting. This blog facilitates discussion from all sides of issues. Opposite viewpoints are welcome, provided they are respectful. Name calling is not allowed and any posts that violate the policy, will not be authorized to appear. This blog also reserves the right to exclude comments that are off topic or are otherwise unprofessional. This blog does not assume any liability whatsoever for comments posted. People posting comments or providing information on interviews, do so at their own risk.
This blog believes in freedom of speech and operates in the context of a democratic society, which many have fought and died for.
Views expressed by commentators or in articles that appear here, cannot be assumed to be espoused by The Hamiltonian staff or its publisher.