IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Self-Insurance, Grant Planning on States’ Cyber Agendas

The majority of states are abandoning third-party cyber insurance for self-insurance, says Colorado CISO Ray Yepes. Plus, Virginia and Alaska cyber leads talk federal cyber grants and the importance of understanding local needs.

Colorado CISO Ray Yepes speaks during a virtual panel discussion.
Colorado CISO Ray Yepes discusses cyber self-insurance during a virtual panel discussion.
States are increasingly turning to self-insurance as cyber policies raise premiums and reduce coverage, said Colorado CISO Ray Yepes during a FedInsider panel yesterday.

“Almost every state is self-insured, and if not, they’re working to become self-insured,” Yepes said.

Colorado itself saw its insurance costs quadruple from $500,000 last year to $2 million this year and the pricier policy was also less valuable, coming with higher deductibles as well as reduced coverage and benefits.

States are confronting risks both that prices will continue mounting and cyber insurers will become scarcer. Colorado had to switch primary insurers this year to find a company willing to cover it, Yepes said, and he said other CISOs have run into issues of insurers removing ransomware from their cyber policies.

“To me, if you’re going to get cyber insurance, that’s the main reason you want to get it — is the ransomware,” Yepes said.

These kinds of trends aren’t limited to the U.S. Global insurance marketplace Lloyd’s of London reportedly issued a mandate recently that instructs insurance firms that sell over its platform to exclude coverage for state-backed cyber attacks, or at least those that cause a certain level of impact. The rules go into effect in March 2023.

The public sector is uniquely positioned to switch to self-insurance instead, Yepes said, because of the extensive amount of backup supports should its reserves run out.

“If you’re in the government sector, I would highly consider you get self-insurance for your state, for your agency, for your city,” Yepes said.

Instead of Colorado paying millions in premiums each year, Yepes would like the state to set aside that money into a self-insurance fund it would contribute to annually. Should a cyber incident prove to be more costly than these monies can cover, the state could tap into its emergency funding system. States typically have deep disaster or emergency funds, to the tune of $50 million or so, he said.

And these resources aren’t the last resort. Governors could declare a state of emergency to help handle an incident that requires more resources, turn to federal law enforcement like the Secret Service and FBI for response assistances and activate the National Guard and its cyber specialists, Yepes said.

Another point in favor of self-insurance? States don’t have to use the vendors selected by their insurers, which frees them to use companies with which they have pre-existing relationships, Yepes said. This means that vendors brought in during emergencies are those already familiar with the government’s systems.

Yepes said he intends to present Colorado’s governor with legislation providing for a self-insurance program.

CENTERING SECURITY


Yepes came to Colorado in April, with a resume that includes five years as CISO of the Texas Department of Family and Protective Services. This transition showed him the difference between working under Texas’ decentralized IT infrastructure and Colorado’s centralized model.

Decentralized setups typically see each individual agency equipped with its own IT staff, systems and strategy, and any state-level IT department focused on providing the larger policy and direction. Centralized state IT approaches, meanwhile, see the single state IT department serve as other agencies’ primary source of IT strategy, management, services and personnel.

This choice can have a big impact on cybersecurity, Yepes said.

“One of the greatest benefits [of centralized infrastructure] is security,” he said.

The centralized IT department has greater control, which helps get its policies quickly enacted.

“One of [the impacts] people don’t realize is the decision-making speed. The centralized entity is way faster,” Yepes said. “Policies will be applied within two hours at the various groups or agencies or entities that you’re working with.”

AWAITING CYBER GRANTS


As states and localities plan their cyber improvements, many are anticipating long-promised federal cybersecurity grants, which are due out this year under the Infrastructure Investment and Jobs Act (IIJA).

Virginia Deputy Secretary of Cybersecurity Aliscia Andrews said she’s aware that cybersecurity weaknesses among localities put the commonwealth at risk, too, and is working now to discover each jurisdiction’s unique cyber challenges and needs. Andrews is striving to visit all 133 localities over the course of 60 days, to speak with their local CISOs and CIOs about their setups, concerns and desires from the forthcoming grants.
Virginian deputy secretary of cybersecurity Aliscia Andrews talks during a virtual panel discussion.
Virginian deputy secretary of cybersecurity Aliscia Andrews speaks during the virtual panel.
“We’re asking localities what they actually need,” Andrews said. “My tour of the commonwealth… [aims] find out to what their needs bases are, what gaps we have, and how to use the money from the federal government so it’s going to be beneficial to them.”

Another piece is setting up processes intended to make it easier for localities to apply for grants as they become available, including by establishing a grant team and compiling useful information, Hernandez said.

Alaska CISO Chris Letterman said his state is working to get better insight into its localities and hopes the federal grants will bolster these efforts.

“One of the things the SLTT grant is providing us is that on-ramp to establish a statewide view of cybersecurity,” he said.

Alaska aims to focus first on creating an advisory council to inform it about localities’ needs and help guide its cybersecurity plan. Letterman said it will be important for the council to include voices from the kinds of jurisdictions where one person juggles IT responsibilities alongside several other roles.

His near-term goals for Alaska include improving abilities to protect state workers’ and residents’ identities, using a zero-trust approach to safeguard remote workforces and increasing trainings, tabletop exercises and other efforts to raise security awareness across the government workforce.

Letterman added that uncertainty around when the grants will arrive has created some hurdles, but said the funding has “tremendous potential.”

“We’re still kind of in this start-and-stop feeling with the federal government in terms of when the Notice of Funding Opportunities is going to actually hit the street,” Letterman said. “And that’s really going to dictate a lot of the how we’re able to answer some of those needs and fulfill some of the things the SLTT grant’s got.”
Jule Pattison-Gordon is a senior staff writer for Governing and former senior staff writer for Government Technology, where she'd specialized in cybersecurity. Jule also previously wrote for PYMNTS and The Bay State Banner and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.