BBC News

Aug. 26 — Colorado CISO Ray Yepes told a FedInsider panel yesterday that he is increasingly turning to self-insurance as cyber policies raise premiums and reduce coverage. said.

“Almost all states are self-insured, and where they are not, we are working to get them to be self-insured,” Yepes said.

Colorado itself, its insurance cost $500,000 last year $2 million More expensive policies have also become less valuable this year, with higher deductibles and reduced coverage and benefits.

Countries face the risk that prices will continue to rise and that there will be a shortage of cyber insurers. Colorado Yepes said he had to change primary insurers this year in order to find a company that would cover his insurance.

“If you buy cyber insurance, that’s the main reason, it’s ransomware,” says Yepes.

This kind of trend is we global insurance market Lloyds of London It reportedly recently issued an order directing insurers selling through its platform to exclude coverage for state-sponsored cyberattacks, or at least attacks that cause a certain level of impact. to take effect March 2023.

Yepes said the public sector is uniquely positioned to switch to self-insurance instead because it has a huge amount of back-up support in case the reserves run out.

“If you are in the government sector, I would strongly consider getting state, agency, or city self-insurance,” Yepes said.

Excluding that Colorado Yepes, who pays out millions of dollars in insurance premiums each year, wants the state to put that money into a self-insurance fund and contribute it annually. If a cyber incident proves to be more costly than these funds can cover, states may utilize emergency funding systems. States typically have large disaster or emergency funds. $50 million Or so, he said.

And these resources are not a last resort.Governors can declare a state of emergency and turn to federal law enforcement agencies like the federal government to help handle incidents requiring more resources secret Service When FBI For response assistance, national guard said its cyber specialist, Yepes.

Another point in favor of self-insurance? States are free to use companies with which they have existing relationships because they are not required to use the vendor of their choice, Yepes said. This means that the vendors brought in in an emergency are familiar with government systems.

Yepes said he intends to present of Colorado A governor with a law that provides a self-insurance program.

centering security

yes i came Colorado with a resume that includes 5 years as CISO of Texas Department of Family Protection ServicesThis transition showed him the difference working under him Texas’ Distributed IT infrastructure and of Colorado concentration model.

In decentralized setups, individual agencies typically have their own IT staff, systems, and strategies, with state-level IT departments focused on providing greater policy and direction. On the other hand, in the centralized state IT approach, a single state IT department acts as the primary source of her IT strategy, management, services and personnel for other agencies.

This choice could have significant implications for cybersecurity, Yepes said.

“One of the biggest advantages [of centralized infrastructure] Security,” he said.

A centralized IT department has better control, so policies can be enacted faster.

“one of [the impacts] People don’t realize how fast decisions are made. A centralized entity is much faster,” Yepes said.

waiting for cyber grant

As states and local governments plan cyber improvements, many are hoping for long-promised federal cybersecurity grants. infrastructure investment and Employment Law (IIJA).

Virginia Deputy Chief of Cybersecurity Alicia Andrews She recognizes that cross-regional cybersecurity weaknesses also put the Commonwealth at risk, and is currently working to uncover the cyber challenges and needs unique to each jurisdiction. , visits all 133 regions over a 60-day period to engage with regional CISOs and CIOs to discuss their structures, concerns and desires for future grants.

Deputy Commissioner of Cybersecurity, Virginia Alicia Andrews Speak during the virtual panel.

“We’re asking what local governments really need,” Andrews said. “My tour of the Commonwealth… [aims] Find out what the foundation of their needs is, what gaps we have, and how we will use federal funding so that it benefits them. ”

Another challenge, Hernandez said, is setting up a grants team, compiling useful information, and developing processes to make it easier for local governments to apply for grants when they become available. is to set.

Alaska’s CISO, Chris Letterman, said his state is working to gain better insight into the region and hopes the federal grant will boost those efforts. .

“One of the things the SLTT grant provides us is a gateway to establishing a statewide view on cybersecurity,” he said.

Alaska It aims to initially focus on establishing an advisory board to inform local needs and guide cybersecurity planning. Letterman said it will be important to bring voices to the council from jurisdictions where one person juggles her IT responsibilities with multiple other roles.

his short-term goals Alaska This includes improving our ability to protect the identities of our state workers and residents, using a Zero Trust approach to protect our remote workforce, training to increase security awareness among government workers, and tabletop exercises. , and enhancements to other initiatives.

Letterman added that uncertainty about when the grant will arrive has created some hurdles, but said the funding has “tremendous potential.”

“There is still a back-and-forth feeling with the federal government as to when notifications of funding opportunities will actually go public,” Letterman said. “And that will really determine many of the ways in which we can answer some of these needs and meet some of what the SLTT grant has earned.”

___

(c)2022 Government Technology

Access Government Tech at www.govtech.com

Distributed by Tribune Content Agency, LLC.