OAKLAND, Calif. (KGO) -- Two high-profile ransomware hacks crippling two California entities - Oakland and San Bernardino County - are raising questions about the importance of network outage and cyber liability insurance. The ABC7 News I-Team is digging into why one of the policies may have lacked the necessary protections to minimize the damage.
RELATED: Expert explains how City of Oakland may have become victim of ransomware attack
Oakland vs. San Bernardino County
Four months after the "Play" ransomware group reportedly hacked into the city of Oakland's network, city hall sources tell the I-Team no payment was made. But the I-Team confirmed 610 gigabytes of data was leaked onto the dark web.
Yet, within one month $1.1 million was paid to a reported Russian-linked hacker group that infiltrated and temporarily shut down computer systems in the San Bernardino County Sheriff's Dept. in early April.
San Bernardino County paid roughly half the total cost of the ransom -$511,852 - and the insurance company covered the rest, the I-Team confirmed.
The FBI condemns any ransom payment or negotiations made with hackers, but is reportedly investigating both hacks.
So, why did one entity pay and the other didn't?
RELATED: Dozens of Oakland ransomware victims never notified SSN were leaked on dark web, I-Team finds
"It's an opportunity to reflect, what went wrong? Are there opportunities there for improvement?" said Chris Hetner, a 30-year veteran cyber security professional.
Hetner spent years advising the U.S. Securities and Exchange Commission on cyber resiliency policies.
"I would question: does the entity or organization have insurance?" Hetner said.
The I-Team confirmed both Oakland and San Bernardino County have some type of network outage coverage. We consulted Hetner about Oakland's policy that is defined as 'comprehensive' providing coverage for things like information security, regulatory defense, and cyber extortion.
"It appears most of this coverage is aligned to traditional data breach oriented types of attacks or perhaps the ability to deface a website or compromise the information of an entity," Hetner said.
RELATED: Here's a look at how other cities solved their cyberattacks
Hetner says what's often not considered in this type of coverage is the impact to business interruption or loss of services.
"So we see many organizations assume they have the proper cyber insurance coverage, but when they have the actual event occur they seek reconciliation from their carrier and their broker because the policy just wasn't designed for that type of event," he said.
It's unclear if that situation is what happened in Oakland's case. The I-Team asked the city if ransomware attacks are included in their policy coverage, but have yet to hear back.
Stephanie Sierra: "Do you think Oakland's coverage is sufficient to protect against a ransomware attack?"
Chris Hetner: "No. It seems like it's mostly covering comprehensive electronic info and security liability coverage so that assumes that it's tied to data... if I think about the disruption tied to ransomware, like shutting down systems, not being able to deliver services... it seems like this policy is not designed to meet those needs."
RELATED: Oakland ransomware attack: Leaked data has more than 3.1K views on dark web
San Bernardino County told the I-Team "The County had prepared for the possibility of such an incident by securing appropriate insurance coverage. After negotiating with the responsible party, the insurance carrier and the county agreed to a payment to restore the system's full functionality and secure any data involved in the breach."
The county added the decision whether to render payment was the subject of careful consideration.
"On balance, and consistent with how other agencies have handled these types of situations, this was determined to be the responsible course," according to a statement sent from David Wert, the county's public information officer. "As part of its ongoing criminal investigation, the Sheriff's Department is conducting a forensic examination to achieve a full understanding of the incident, the findings of which will benefit all public agencies looking to avoid a similar occurrence."
Hetner added there are many proactive measures organizations should be factoring in versus strictly relying on insurance policies - including ensuring proper backups, creating copies of critical data, and building incident response plans.
Ransomware attacks across the U.S.
Ransomware attacks on U.S. government organizations from 2018 through Oct. last year cost more than $70 billion, according to security and privacy research firm Comparitech. The firm analyzed at least 2,499 ransomware attacks that have targeted government organizations, healthcare organizations, U.S. schools, colleges, and businesses since 2018.
The average ransom demanded in the U.S. is more than $2.1 million, according to Comparitech.
"Play", the hacker group that claimed responsibility for the attack on Oakland, has hacked into at least six other entities across the country since 2018, the firm found. The I-Team confirmed one of them includes the software company "A 10 Networks" in San Jose.
A10 has investigated the incident and has successfully restored all needed data without impact on the continuity or integrity of business operations, the company told the I-Team.
Take a look at more stories by the ABC7 News I-Team.
If you're on the ABC7 News app, click here to watch live