The Local Government Cybersecurity Alliance (LGCA), a recently established network of cybersecurity professionals and municipal leaders, has released the “Local Government Officials Guide to Cybersecurity” — a resource aimed at helping elected and appointed officials understand the financial responsibilities of managing cyber risk.
Developed over about three years, it seeks to close what authors call a “governance knowledge gap” or a lack of technical understanding that can limit effective cybersecurity oversight. While many local governments are invested in security tools and technology, the guide notes that leadership engagement is still uneven.
Local governments, specifically city and county, face a growing number of cyber threats — both financial and operational — as digital services have expanded. In 2024, the cost to recover from a cybersecurity incident averaged $3 million and more than 27 days of downtime, according to the guide. For context, this year’s cybersecurity incidents have reinforced the urgency of local engagement in cybersecurity oversight, as officials have grappled with cyber attacks levied against Fort Bend County, Texas; St. Paul, Minn.; and the Orleans Parish Sheriff’s Office in Louisiana.
“This crisis has fundamentally changed the conversation,” the guide says. “Cybersecurity is no longer an IT issue; it is a strategic, fiduciary and enterprise-level risk.”
Writers list several persistent barriers for cybersecurity, including funding constraints, workforce shortages and limited awareness of executive responsibilities. It outlines five core governance principles for officials: integrating cybersecurity into enterprise risk management; assigning a dedicated budget to cover staffing, tools, training and insurance; establishing oversight structures for accountability and reporting; adopting a recognized framework such as the National Institute of Standards and Technology frameworks or CIS Critical Security Controls; and monitoring outcomes to inform risk-based decision-making.
There is also a rubric that shows who should be involved in decision-making, how to staff cyber-specific roles and what to do when there isn’t a dedicated CISO position. Sidebars call out tips for local governments in making decisions, choosing frameworks, assigning responsibilities, defining governance and establishing reporting.
The report was three years in the making, wrote Elisabeth Dubois in a LinkedIn post. She is a cybersecurity risk specialist for the New York Municipal Insurance Reciprocal, an insurance provider that also provides cybersecurity services. She co-founded the LGCA this summer with Donald E. Hester, a cybersecurity expert with 25 years of experience in the space.
All told, 40 contributors and five editors worked on the new report.
