Officials have declined to say how the hackers penetrated the city’s network, but long before the attack they had received warnings that the city’s security systems were out of date and that infrastructure was vulnerable. The city’s IT department has also acknowledged that before the attack, it didn’t have a written plan in place to follow in the case of a serious incident, nor did it have insurance that has helped other jurisdictions pay for the costs of recovering.