It is widely recognized that cities and local government agencies within the United States have increasingly become targets of ransomware in recent years. In fact, on June 17, 2021, the United States Senate Subcommittee on Emerging Threats and Spending Oversight held a hearing on “Addressing Emerging Cybersecurity Threats to State and Local Government.” The Committee Chair highlighted that the estimated cost of publicly known ransomware attacks impacting states and local governments in 2020 was approximately one billion dollars.

With COVID-19 accelerating the public’s reliance on digital connectivity, more investment in technology and people is needed to improve the cyber resilience of local governments. Local governments are the providers of many critical services necessary for everyday life. Exploits of cyber vulnerabilities in the public sector can cause far-reaching impacts and interruptions to communities. Disruption of essential services is not the only risk posed by cybercriminals. Government organizations are unique because they hold vast amounts of sensitive and confidential data. Whether it be personally identifiable information on citizens, documents related to public safety and courts, or even communications on sensitive matters, the stolen data is often used in attempts for extortion and ultimately offered for sale to other criminals.

It is also known that as organizations continue to rely on third and fourth-party relationships for their critical business processes, over half of reported data breaches result from those relationships. Cities and local governments are no different. Now more than ever, cities are outsourcing and leveraging third parties for activities that range from website design and web hosting to parking ticket fine collection and utility payments.

As a result of the increased reliance on third parties, RiskRecon, a Mastercard Company, evaluated a sample of 271 of the most populated U.S. cities’ government websites as of August 29, 2021, to assess their cybersecurity posture and subsequent third and fourth-party vendors that support our cities and local governments. [A full list of the U.S. cities included in the dataset can be found in Appendix A.]


For this research, RiskRecon, a Mastercard Company, evaluated a sample of 271 of the most populated U.S. cities’ government websites as of August 29, 2021. The sample included the five most populated cities from each state (excluding inhabited territories and including the ten most populated cities for California, Florida, New York, Texas, and the District of Columbia).

What is RiskRecon?

RiskRecon monitors the cybersecurity performance of an organization using open-source intelligence. RiskRecon employs passive, non-invasive techniques to discover an organization’s public systems and analyze those systems’ cybersecurity risk postures. RiskRecon summarizes organizational results in an easy-to-understand score called a RiskRecon Rating, which provides a rapid orientation of the organization’s cybersecurity performance.

RiskRecon Rating

The RiskRecon Rating is an overall security rating based on performance across 9 Security Domains. RiskRecon rates cybersecurity risk performance on a scale of 0.0 – 10, with 10 being the best rating. RiskRecon overlays an A- F grading scale on top of the numeric ratings that separate performance into five bands. The security domains measured are software patching, application security, web encryption, network filtering, breach events, system reputation, email security, DNS security, and system hosting. [more information on the RiskRecon Rating can be found in Appendix D here.]

Security Issues

RiskRecon automatically contextualizes every issue with severity and asset value, enabling information security professionals to easily identify risk priorities and needed action. The “priority 1 findings” are issues that are considered critical severity (based on Common Vulnerability Scoring System) discovered on high-valued assets (e.g., a system that collects login information or Personally Identifiable Information).

Stay tuned for more blogs discussing our exclusive research on the cybersecurity risk posture of city governments and download our full report here.