A group of cyber experts is working to bring that financial impact forward and, in the process, influence how elected officials and local finance officers view cybersecurity in the municipal landscape. Their focus is U.S. local governments including cities, counties, villages and special districts that may include utilities, hospitals or airports.
The Local Government Cybersecurity Alliance (LGCA), formed earlier this year, doesn’t plan to replace existing cybersecurity efforts, but fill a niche that has lacked targeted guidance, said Donald Hester, a career cybersecurity leader and former auditor. He co-founded the alliance with Elisabeth Dubois, a municipal cybersecurity risk specialist in New York state.
The LGCA’s Local Government Officials Guide to Cybersecurity targets elected and appointed officials, not cyber or IT staff, and outlines fiduciary responsibilities for managing cyber risk. It has more than 40 contributors from across the U.S.; the report cites a $3 million average recovery cost and 27-plus days of downtime per cyber incident in 2024.
“One of the things I always found hard as an auditor is to get senior management to understand their role and responsibility in cyber risk,” Hester said. “And when I first started doing it in the early 2000s, there wasn’t a good understanding of what IT governance meant.”
The most damaging costs of a cyber incident, he said, often appear after the breach.
“Your bond rating can be impacted,” he said. “You can have increased insurance premiums in the future. There are all those costs that you don’t think of because when thinking of the cost, they’re thinking of the incident itself. But there’s residual cost, including any litigation that may come in the future.”
Local governments must treat cyber as they would any other major risk category, Hester argued — albeit one that moves faster and cuts deeper than many traditional threats. While city councils are often well-versed in liability tied to policing, water systems or emergency management, cybersecurity is a high-stakes risk that affects fiscal stability, infrastructure continuity and public trust.
According to the U.S. House Committee on Homeland Security, the average data breach now costs $10 million. It released its Cyber Threat Snapshot last week, indicating cyber attacks were reported in at least 44 states in 2025, although the statistics don’t differentiate between public and private sector.
There is also the human cost. For example, if a hospital is shut down due to a cybersecurity event, it impacts patient prescriptions, out-patient services, or even surgical procedures.
“If you think of that in a local government context, you can really see the fallout,” Dubois said. “We think of the critical services that are provided by municipalities, and that’s where you see the potential risk — whether dollar or life.”
Common pain points are budget limitations, lack of technical leadership, turnover in elected offices, and difficulty translating cyber risk into business terms. Small municipalities are often underfunded and understaffed; they may not have in-house tech support.
Tom Pelster, CIO of California’s Public Risk Innovation, Solutions and Management, said smaller jurisdictions often assume their size protects them, but cyber threats don’t scale that way.
“Here’s what matters with the small, small organizations: if you go back 50 years, when cyber threats didn’t exist, there was a curve for risk,” he said. “The smaller cities had less risk. They didn’t build big buildings, their projects were low dollar, they had fewer employees.”
“But cyber has flattened that out. ... The risk is the same across the board.”
Cesar Gamez, information security administrator for Roseville, Calif., said cybersecurity is the biggest risk for organizations.
“There are studies that say the biggest risk organizations face is not natural disasters. It’s not the financial world going up in flames, political or anything like that ... it’s an outage from a cyber incident,” Gamez said. “So, part of this guide ... is bringing that awareness. This is not the sky is falling, Chicken Little. It is actually happening all over the place.”
He stressed that risk management training and financial training are given to City Council members, and emergency management exercises are regularly planned — and that cybersecurity should be treated as seriously as other disasters.
Alliance members hope the guide and future resources, with topics such as AI’s effect on cybersecurity, will help leaders at entities of all sizes take action. The LGCA, Hester said, isn’t trying to replicate other cybersecurity organizations but instead focus on a specific area: governance guidance for municipal executives and policymakers.
“One thing we found is that there is nobody addressing what the [city] council needs to understand,” he said. “This is written for council, not written for the CISO, and specifically, the city manager or city attorney's office. We are planning to write other guides, and so we're looking to get more folks to join us.”
