[Navy blue CAI "We power the possible" logo appears on screen with white background, with www.cai.io below in black.]
[Title slide. The slide title reads: "Securing coverage: How counties can navigate cyber insurance handles". Above the title in smaller teal text reads: "A NACo Webinar". Near the bottom of the slide, two logos are aligned horizontally. On the left under text that reads "CAI is a sponsor of" features the National Association of Counties logo, and on the right features the navy blue CAI logo with tagline "We power the possible".]
[Presentation slide 1. Aligned vertically on the left side of the screen are three video call screens indicating speakers, labeled from top to bottom as: "Laurel Caldwell | Latah County", "Rick Owens | Pitt County", and "Charles Snyder | CAI". To the right, a slide features the CAI "We power the possible" logo on the top left. Below the text reads: "Webinar. Securing coverage: How counties can navigate cyber insurance hurdles".]
00:00:08 - 00:01:01
Charlie Snyder
Hello, my name is Charlie Snyder. I'm a director of cyber security at CAI and I'll be acting as your moderator today for today's discussion on how counties can navigate the cyber insurance hurdles. Our goal today is just to give you a highlight of some of the growing threats that impacts to county governments and their constituents from cyber attacks and vulnerabilities, and also talk about how cyber insurance coupled with a good cyber risk management program can help you mitigate some of these risks. We'll help you understand the cyber threat landscape, discuss challenges that counties have had recently on obtaining and retaining good cyber insurance and discuss methods of doing a cyber insurance assessment that goes beyond just filling in the blank. So without further ado, I'd like to introduce a couple other speakers.
[Presentation slide 2. The slide is titled “Meet our guests,” featuring three circular speaker photos below. From left to right: "Laurel Caldwell, Chief Information Officer, Latah County, Idaho", "Rick Owens, Information Technology Security Manager, Pitt County, North Carolina", and "Charles Snyder, Cybersecurity Director, CAI".]
00:01:02 - 00:01:06
Charlie
So Laurel, why don't you introduce yourself?
00:01:07 - 00:01:28
Laurel Caldwell
Sure. I am Laurel Caldwell. I'm the CIO at Latah County in Moscow, Idaho. I've been here since 2008, so a while now. I've seen a lot of things come through with the IT, and insurance is one of them.
00:01:29 - 00:01:30
Charlie
Rick?
00:01:30 - 00:02:07
Rick Owens
So Rick Owens. I'm the IT security manager and Deputy CIO of business systems and services for Pitt County government in Greenville, North Carolina. Prior to joining the team at Pitt County, I spent 16 years in various roles in higher ed managing cyber security infrastructure risk management. In my current role, I'm focused on risk management, including the cyber insurance, and building partnerships that help us to deliver services to our constituents in a secure manner.
00:02:08 - 00:02:11
Charlie
Okay, great. So to kind of cue up this subject, I want to talk a little bit about.
[As the slide disappears, the speakers' photos enlarge with Laurel Caldwell and Rick Owens on the top half of the screen, and Charles Snyder centered on the bottom half of the screen.]
00:02:12 - 00:03:17
Charlie
Some of the cyber threats that everybody is facing these days. And this is going to be a real quick overview. I think we all know that cyber threats and attacks are growing every day. For instance, there has been over, the cost of a breach in the United States is now over $10 million and can take up to 241 days to resolve. Along all these different attack methods, we now have to worry about the use of artificial intelligence. There's a lot of good articles out there right now about how attackers are using AI tools to get even more sophisticated attack methods. In addition, while AI offers opportunities for improvement of efficiencies, we have to be concerned about the attack surface our or your county's artificial use of intelligence in large language models may present to attackers. So let's ask the leaders, can you talk about some of the most prevalent threats that you have faced by counties and how they've affected your local governments recently?
00:03:18 - 00:04:28
Rick
I'll go ahead and jump in here. Thankfully, we hadn't had to deal with too many live fire incidents where there was an actual compromise. As you mentioned, we are seeing an increase in the number of attempts, and really the thing we're seeing is the number of attempts, in addition to growing, they're a lot more creative. As you said, the adoption of AI by the attackers is helping them to, they're creating better phishing emails. It used to be that, and I think it's still in our training that says, hey, these are some red flags. There's grammar issues that doesn't sound that it was written right? There's typos, stuff like that. Well now they're just taking that script and throwing it into ChatGPT or whatever and saying proof this for you. And they get a crafted email that a year ago, it sounded like it was written by a machine. Now it's in natural language. It sounds like it was written, could have been written by somebody within your organization. And they're doing the same thing with scripts for phone calls.
00:04:29 - 00:05:14
Rick
It used to be that you could pick up that stuff. Well, now they can, I have seen, we have not seen it here. I have seen it in some other places where they're using AI to actually generate the voice prompt to try to gain information and then also just generally using that to gain information and knowledge about our operations so they can go in and do full-blown research in what took somebody hours or days of digging through a website or this, that and the other. That information's available in seconds. So that's some of the stuff we're seeing as far as the incidents that are coming in and the attempts.
00:05:15 - 00:05:28
Charlie
Okay. Well, Rick, I'm glad that you haven't had any major incidents. Laura, I don't know if you want to share anything or from other county officials. Have you heard about any recent incidents and lessons learned maybe you want to share or to continue?
00:05:29 - 00:06:15
Laurel
Well, there are plenty of incidences every single day that come up, and you try to look at those as examples of how do I protect my own government, my own network for the government so that we can continue business? And there are a lot of holes, and as soon as you fix one, there's another one that shows up. And we've had our own scares here, nothing too major, but it's just one click away. And just like Rick said, that those phishing emails are so tricky nowadays and they look so believable.
00:06:16 - 00:07:17
Charlie
Yeah. And I'll just add on some general information. Phishing of course would still be one of the attack methods, but also gaps in your vulnerability and patching. They're having tools that automatically discover those and go after those. So there's a lot of different threat environments that have been increasing. Now of course, one of the purpose of cyber insurance is to transfer at least a portion of that risk to the insurance carrier. It doesn't totally mitigate your risk, but it does transfer some of that risk. So I'd like to kind of highlight some of the issues on what it is to obtain appropriate insurance and retain and get the kind of support that you need from your insurance carrier. First of all, the growing demand for cyber insurance, it took a dive for a few years. Now it's growing back up again. Last year, or 2023 I believe it was, there was over 33,000 claims in the United States alone against cyber insurance policies.
00:07:18 - 00:08:07
Charlie
One of the challenges of course, that everybody faces is how do you go about doing this? We don't have the historical data, so it's harder for the insurance companies to underwrite this stuff. So you have to fill out a lot of questionnaires. Every time you go to an insurance broker, you can fill out a different questionnaire. They're time-consuming, and they may or may not help you align with what you're trying to do with your cyber improvement processes. So these are some of the challenges, and we can talk about some of the challenges that if not having the right information to the cyber insurance, how that deals. So can you share any experience in these hurdles that you've had in navigating either getting insurance or dealing with insurance claims?
00:08:08 - 00:08:09
Laurel
I haven't had anything-
00:08:09 - 00:08:10
Charlie
Rick, got anything? Laurel?
00:08:10 - 00:08:11
Laurel
Oh, sorry.
00:08:11 - 00:08:12
Charlie
Go ahead, Laurel.
00:08:13 - 00:08:54
Laurel
I haven't had any specific hurdles with the insurance providers. Knock on wood, we've been able to still obtain insurance, but filling out the surveys and the assessments to get that insurance is a little bit harder and it takes a lot of time. And I would say that's probably the biggest thing with a small agency is that you don't have time to fight the fires and fill out surveys, but you know that you need to do those so that you can have the insurance.
00:08:55 - 00:08:58
Charlie
Rick, what about you? Any ideas on that?
00:08:59 - 00:09:53
Rick
Yeah, so I was sitting here as you were talking, I was trying to think back. It was probably, it's been 10 plus years ago I did our first, and I was still in higher ed at this point in time, when we did our first questionnaire from cyber insurance. I mean, I think it was like three or four questions and it was just basic stuff. And now as the attacks have grown, as the insurance companies have had to make some pretty significant payouts, they're starting to spot risks that they want to make sure are mitigated so they can help reduce their payouts. I mean, insurance is a business, they're trying to reduce their payouts as well as make sure that they're providing a service to us as well.
00:09:54 - 00:11:08
Rick
So I mean, it's basically turned into a self-attestation light. It is almost like going through the PCI questionnaire or the HIPAA certifications, stuff like that. So one of the benefits that I have when I moved into this role was my time in higher ed was the accreditation requirements we had from the various governing bodies. With that, if it didn't document it, it didn't happen. So that was ingrained in me before I even moved into this role. So it's similar with cyber insurance, and the cyber insurance is still very much an evolving market. They don't want to pay out if they don't have to. And the other challenge that we've got is we, by statute, we're required to shop for insurance every set number of years, and each carrier hones in on different aspects. So if you're getting quotes from three or four different people, you're filling out three different sets of questionnaires and assessments and trying to make sure that you've got the documentation in place to back all that stuff up.
00:11:09 - 00:12:10
Charlie
So I think that's a good summary there is cyber insurance should be part of your overall cyber risk management processes, and so the organization really understands, if you look just narrowly at one cyber insurance carrier, you may not have the full picture. So understand where your risks are around your organization, where are your keys to your kingdom, what are your golden caches of data. Also, I would like to point out, because these surveys are changing over time, and in the past they started, they were very simple surveys and people weren't maybe spending a lot of time and attention. We need to be careful, exclusionary language. There was an incident recently in Ontario, Canada where someone had filled out a form saying they had MFA, they had MFA, but they hadn't actually enforced MFA. They had a data breach, and I believe the insurance carrier initially denied the claim because when they actually did the forensic, they found out they did not enforce MFA across the board.
00:12:11 - 00:13:11
Charlie
So it's important to have that real complete understanding of your cyber posture before you commit to getting insurance. All right. So that brings up a good point there is why I got involved in this. And so I like to think a little moment to briefly talk about what we've done at CAI to address some of these concerns. And this is not a sales discussion, but I think it's important to talk about why we wanted to do this. We heard the comments about multiple questionnaires, they all asked different things and they weren't tied, connected to your overall cyber risk management processes. I also found that in the past, some organizations, there was only one person on their own filling out the questionnaire and they weren't fully discussing this with the different stakeholders. So one of the things we first wanted to do was find a standard or framework we could map these questions to, and we ended up picking the National Institute of Standard and Technologies Cybersecurity Framework 2.0.
00:13:12 - 00:14:18
Charlie
If you're not familiar with the NIST CSF, what's nice about it, A, it's been paid for, it's free. You can download it from the government from free, but also it's widely adapted, not only here in the US, but multiple international agencies have now mapped their control frameworks to the NIST CSF. I think one of the things I really like about the NIST CSF is the way it's structured, it gives you a top overall view that the non-IT person can understand. In short, you've got six main functions in the NIST CSF. Governance, identification or identify, protect, detect, respond, and recover. So it's pretty easy to describe this to an elected official or even the public, what you're doing around to protect your networks, what are you doing to detect issues? How are you responding to things? So that's very simple. So let me ask you, what could be done you think on your end, the counties, to help streamline the acquisition process for cyber insurance?
00:14:19 - 00:15:14
Rick
I can go ahead and jump in here. My thing, be it good or bad, there's overlap between a vast or really all of the controls that we're dealing with. You mentioned NIST, but we've also got the questionnaires and assessments that we're doing for PCI, for CJIS, for HIPAA. I am trying to remember the one that we were doing the other day, but that falls back to the CIS controls. And for the most part, they're all looking for similar things. So it's a matter of knowing where the data is, what controls you have in place, how the risks are being managed, but then it's also mapping out and cross-referencing the control, maintaining the documentation.
00:15:15 - 00:16:18
Rick
It gets overwhelming, especially if you're a smaller shop or if you're operating in a vacuum in a silo as IT, because that's a issue there is that a lot of times people will hear that, hey, this is cyber insurance, what does the business office have to do with it? Or what does this group have to do with it? And this is a business process. So it's establishing those relationships. But when it comes to the assessments, it's knowing what you have on hand and knowing what's changing. So you hit on it with the case that you mentioned in Ontario, but if I say I've got MFA in place, and it is today, if we make a change to it, three months from now, it doesn't matter that I had MFA in place when I filled out the assessment. It's what's in place now.
00:16:19 - 00:17:12
Rick
So this has got to be a living and breathing document, following along the best risk management and best cybersecurity practices. As you're making these changes, you've got to update your documentation, you've got to keep the stuff in place, and it can get to be almost a full-time job just keeping track of the documentation and keeping everything in place. So we've got stuff here that we're doing where we maintain that documentation. So the MFA training, if we make a change, I've got stuff kind of mapped out that that says, hey, if we add this application here, if we add this type of workflow here, how does that affect our risk management?
00:17:13 - 00:17:45
Rick
And it gets to be where you see the board on the wall with the yarn connecting all these different points and you look like you're borderline insane, but you've got to start keeping track of that. And it's documentation, it's what type of assessments have you done, what were those results? And then how are you addressing what was found in those assessments? So nobody expects perfect, but you've got to be working towards it.
00:17:46 - 00:18:03
Charlie
Great points there, Rick, about doing ongoing risk assessment. Laura, would you like to add anything about how maintaining your policies and doing good risk assessment may help you reduce either your premiums or ensure better coverage going forward with your carriers?
00:18:04 - 00:19:12
Laurel
Yeah, well, having the assessment is, it's helpful in having that guideline of where you have your gaps. I mean, I think every IT person knows that they could do improvements here or there, but having that assessment gives you an actual roadmap of what needs to be done. And if you can standardize on an assessment like the NIST, it is helpful because you're comparing apples to apples every single time. And so you know what you need to shore up as far as filling in. And then once you have an assessment that's standard like that, then you can apply it to all those different questionnaires that we're being asked to fill out all the time. And then to Rick's point, it has to be a living document that you're constantly updating, because the network doesn't just get updated one time a year and then you sit on that until the next year. You're constantly updating it, and so that document also needs to be updated.
00:19:13 - 00:20:09
Charlie
Okay. Well, we've talked a little bit about filling out these surveys. So [inaudible 00:19:19] about from what our research has shown, in general, we can't specifically talk about every specific case. In general, what are the cyber insurance carriers and providers wanting to ensure? What is it they are concerned about? So let me think about a few different key things, some of the vital security controls and process in place to mitigate your controls. So what have you done to prepare your county and your teams to meet these different ongoing requirements that you're seeing? And I think maybe like Rick and Laurel's point, not just cyber insurance, but all these different requirements, whether it's PCI or CJIS. What in general are you doing to make sure you have the controls in place and mapping those out to meet those requirements?
00:20:10 - 00:20:40
Laurel
I would say having the assessments. Yeah, back to my point with that it's a guidebook for where I'm at and where I need to make improvements. And it all applies to whether I'm doing CJIS or PCI or HIPAA. Those all have to be taken into account when you're making any kind of change to the network.
00:20:41 - 00:20:42
Charlie
Anything else, Rick?
00:20:43 - 00:21:54
Rick
Yeah, so diving in with that as well, you've got the assessments, I'm biased and I know what we should be doing, I know what I think we're doing, but is that actually what's taking place? So that's having a third party, having some type of non-biased entity, be it automated, the network scans that you're getting done through Tenable or Rapid7 or whoever. I know what we should have in place as far as group policy goes or as far as security setting together, but has that actually been put in? Then bringing in, we try to do annual or biannual, having a third party come in to actually evaluate the policies because if I've written a policy, I know what it says, but it may be interpreted differently. So having those third-party assessments, because cyber insurance is going to be looking for that.
00:21:55 - 00:22:06
Laurel
Rick, that comes back to the MFA, like the Ontario incident where you could say, check the box, I have MFA, but what does that really mean? Are you using it? Is it implemented?
00:22:07 - 00:22:52
Rick
Is it there? And then I mean, same thing. It's kind of trend watching. I'm trying to think. Three years ago, I don't know that the insurance carriers could spell PAM. And last year everybody was asking, do you have privileged access management for your, one was asking across the board, one was for administrative access. It's actually understanding, I mentioned it a little bit earlier, I know what my policy is supposed to say, but it was also what is the insurance carrier's question actually getting at? There's a question then there's the intent.
00:22:53 - 00:23:52
Charlie
Exactly. So what we looked into was we took a different, a lot of different insurance carriers, and in short, I mean, there's some basic common questions. Do you have access controls in place? Do you use MFA? Do you have segmented networks? But in short, we found out in general, there was about 15 categories of questions across the board that these carriers were covering. Now, we found it out in the last year, an additional one was artificial intelligence, because two years ago, nobody was asking about AI. So one of the things we're trying to do is then look at those broad categories. Those individual questions might change a little bit, but if you have the good processes in place around data backup and recovery, you probably have the information to reword it to a specific, there's different things that different insurance carriers may ask. But in general, we found that these 15 categories should cover the vast majority.
00:23:53 - 00:24:30
Charlie
And by mapping them to the NIST CSF like Rick's brought out, you can then use cross-mapping to map those NIST CSF to HIPAA security rule, to CJIS, to social security. There's multiple different ways to map them, but these are kind of best practices that the whole industry agrees it should have in place. And of course it's going to change over time. And any assessment, again, like you guys pointed out, it's a snapshot in time. You then augment that by other security assessments like penetration testing, vulnerability scanning, internal surveys.
00:24:31 - 00:25:06
Charlie
But the goal here is to get those areas that the insurance carriers are concerned about. They're trying to protect their shareholders from the obvious stuff. And I think if we do a good job of blocking and tackling on the basics, we have a better chance of meeting those requirements. So I'll give you a few minutes here each. Would you like to give a kind of a couple minutes overview of what you see on how you think other counties can look at their cyber insurance process?
00:25:07 - 00:25:08
Laurel
I think AI-
00:25:08 - 00:25:09
Charlie
Laurel, give me your thoughts.
00:25:10 - 00:26:03
Laurel
Yeah, I think AI is going to help play a role in helping even the smallest of agencies understand where their gaps are and what they can fix with that. But as you mentioned, Charles, and Rick, you mentioned it too, that the threat actors are coming at you with the AI. So it's never going to be that you're going be up on them. They're going to be up on you and you're always trying to react. And having that awareness of where your network sits with using the assessments and keeping up with them is going to be the key for shoring up where your gaps are.
00:26:04 - 00:26:05
Charlie
Okay. Rick?
00:26:05 - 00:27:12
Rick
So for us, as far as the biggest benefit or the biggest thing to make our lives easier is realizing, and I mentioned earlier and I harp on it a fair amount, but with any of these assessments, with cyber insurance, but also PCI, CJIS, HIPAA, you've got to bring in your business partners. CJIS, I can answer from my standpoint, but I don't know what's going on. I'm not sitting in our law enforcement's headquarters every day. Same thing with PCI. I know what the network's doing, but I'm not sitting in our finance office and where the cards are being processed. HIPAA, I'm not in public health every day. So you've got to have relationships with your business partners, with your other departments in the county to know if they're also practicing the same thing that you've got going on.
00:27:13 - 00:28:30
Rick
What additional training do they have in place in addition to the base cybersecurity stuff? Are there any protections that you've got to have? Because that's one of the things that I saw from a carrier. And I was sitting here going over questionnaires a second ago to see what I had seen, and one of them asked basically is, are you adhering to all of the data security standards related to what you have stored on your servers? And I'm like, I sure think so. But that's a pretty broad question. And I know what they were getting at was if I have a HIPAA violation or a HIPAA breach, or if I've got a PCI breach or a social security number breach or something like that, did I have all the, was I doing what I said I was doing with that specific data type? And not to be overly cynical, but it's is the insurance carrier looking for a way out or are they just trying to cover their bases that says, "Hey guys, are you doing what you're supposed to be doing?"
00:28:31 - 00:29:35
Rick
So that's where, again, the biggest thing to me is we've got to establish those relationships and business partnerships. So when these limit questionnaires come out for cyber insurance or any of it, it's not a once a year thing. It's a, hey, we've noticed this change or you're putting this system in place. Here's how it affects ongoing for PCI, for cyber insurance. Let's update our documentation. And the way that it's a whole lot easier to me to do it a little bit at a time than trying to bust out these assessments. And that's where having a centralized repository for tracking, and then the version history of it. Hey, we did this. We answered it this way last year. Well, we've made these changes. We can answer it this way this year, and that may help to reduce the cost.
00:29:36 - 00:30:33
Charlie
Okay, great. So in conclusion, I think what we've heard is that what you need is not just filling out a questionnaire or survey. It's the days of 15 minutes of filling something out and sending it on, you're good, are probably not appropriate anymore. So one of the things he's hit on that Rick talked about is doing a collaborative team effort to understand those risks, and can't you understand your cyber risk without understanding your business operations? So the assessment that we're talking about is one that goes through these 15 general areas. It is not just an IT technology checklist either. It goes into some of these business processes. And the idea is to capture not only are you compliant, yes or no, but give you a process maturity. How mature are you on this process? Are you, yeah, we're kind of ad hoc, we kind of do it, or are you, hey, we do this every month and we've got metrics and we can tick and tie everything?
00:30:34 - 00:31:23
Charlie
That gives you, Rick, a better ideal that you've got a sustainable control. And one of the things we might want to think about doing is how to not just use this for cyber insurance, but drive all of your improvement processes for cyber posture. Yes, you might have the different surveys and questionnaires you got fill out, but the long-term goal here is to reduce your risk. You're never going to reduce risk to zero, I'm afraid to say. But you can mitigate a lot of it, you could transfer some of it. So I think following a good formal process to do a risk assessment will allow you to attack two problems at once, give you good information to share with your insurance provider and broker to get you the most appropriate coverage that you need for your risk and help you drive process improvements.
00:31:24 - 00:31:30
Charlie
So I would like to thank our other panelists today, Laurel and Rick.
[Presentation slide 3. The speakers' videos move back to the vertical position at the left side of the screen. The left section features the "CAI" logo with tagline "We power the possible™" in white text. Below, there's a QR code with the instruction "Thanks for joining us! Scan the QR code to explore a cyber insurance assessment," followed by contact information: "www.cai.io,", "@CAI," and "@CAI_Insights," each with respective icons. The right half of the slide is an image of blue and white cubes with a shield logo.]
00:31:31 - 00:31:50
Charlie
Who've been very helpful in this process all along. And to learn more, we have a QR code there. If you would like to learn more about how this risk assessment works, you could please follow up here on the QR code.
[Closing slide 1. Blue CAI "We power the possible" logo appears in middle of screen. Company website www.cai.io appears at the bottom center of the screen.]
[{"asset_name":"www.cai.io","asset_url":"https:\/\/www.cai.io","asset_type_code":"site"},{"asset_name":"Resources","asset_url":"https:\/\/www.cai.io\/resources","asset_type_code":"page_redirect"},{"asset_name":"Events and Webinars","asset_url":"https:\/\/www.cai.io\/resources\/events-and-webinars","asset_type_code":"page_standard"},{"asset_name":"Securing coverage: How counties can navigate cyber insurance hurdles","asset_url":"https:\/\/www.cai.io\/resources\/events-and-webinars\/counties-navigate-cyber-insurance-hurdles","asset_type_code":"calendar_event_single"}]
Watch this on-demand webinar, hosted by the National Association of Counties (NACo), featuring experienced county leaders as they discuss the hurdles local governments face in securing cyber insurance. Safeguarding counties from cyber attacks in today’s complex digital environment is a formidable challenge, particularly when balancing tight budgets, limited resources, and the competing demands of diverse stakeholders. While cyber insurance provides a critical safety net, many counties struggle with the affordability and management of coverage.
Learn more about how our cyber insurance assessment can help streamline your organization’s responses to align with current needs and future insurance carrier requirements.
