Suffolk County’s potential vulnerability to a cyberattack may have been signaled in the months and years leading up to September’s ransomware attack by its lack of something most homeowners wouldn’t dream of without: insurance.
The county has never had a dedicated cyber insurance policy to cover events like the crippling ransomware attack, a fact that security and insurance experts say has increased its vulnerability because the policies require a thorough assessment of a company’s security measures and infrastructure.
Suffolk officials acknowledged that the county’s decentralized networks lacked key security components deemed essential to obtaining cyber insurance, so the county never qualified.
“We just wouldn’t have been eligible,” County Executive Steve Bellone replied to Newsday questions last month. “What she [insurers] you need to reassure yourself, the level of protection you need, the sophistication of the systems, the hardware, the best practices clearly not being applied here.”
GOOD TO KNOW Suffolk County had no cyber insurance in the years leading up to the September ransomware attack. Security and insurance experts say this has increased its vulnerability because the policies require a thorough assessment of an organization’s security measures. Suffolk officials acknowledged the county’s decentralized networks lacked a number of key components deemed essential to obtaining cyber insurance.
When asked if the county had applied for insurance, Bellone said, “We have not applied.”
Overall, experts say, the deficiencies found by Suffolk, which caused it to be uninsurable, pointed to a security flaw that was ultimately exploited.
“If you want to insure a building, the building has to comply with the regulations,” said Justin Cappos, associate professor of computer science and engineering at New York University’s Tandon School of Engineering. He and others were puzzled by Bellone’s statement that the county was “ineligible.”
“It’s a bit like saying, ‘No one would give me auto insurance,'” Cappos said. “One would ask, ‘Do you have a license? Do you have a history of car accidents?’ ”
Cyber insurance policies that cover some of the costs of ransomware attacks, like the one that Suffolk suffered on September 8, have become relatively common as attacks have increased and companies and governments seek to limit their risks.
The New York State Association of Counties, of which Suffolk is a member, surveyed its more than 60 members about cyber insurance last fall. Of the 26 companies that responded, 21 had cyber insurance: 12 had $1 million in cyber insurance, five had $5 million in cyber coverage, and two had coverage of $2 million and one had coverage of $500,000 and $3 million respectively. Five had no coverage at all.
But the cost of insurance is skyrocketing, experts say, as is the complexity of applying. Like some life insurance policies, they require lengthy questionnaires that delve deep into a company’s computer infrastructure to specify its level of preparation.
Cappos said companies seeking cybersecurity insurance must demonstrate they have certain controls and protections in place before receiving them. “If you’re willing to put in the right controls, you can get it,” he said, positing, “I would imagine there were serious problems.”
“I’ve never heard of anyone being ‘unqualified,'” agreed Robert Rivera, an insurance broker at Port Jefferson Station who sells cyber insurance. He said he recently had a client whose renewal for cyber insurance was denied, “but I still found another company for half what they paid” to provide a policy.
Dan Levy, security architect at Sourcepass, a managed information technology service provider, said his company has never turned down a customer for cybersecurity insurance, even after a breach.
According to Levy, companies looking for cybersecurity insurance typically have to fill out a questionnaire. “The answers provided increase or decrease costs. They don’t disqualify the customer.”
Suffolk Borough officials said they believed deficiencies in safety infrastructure largely prevented the borough from applying for insurance at all and that delays in implementing safety improvements were largely due to handling the COVID-19 pandemic, which diverted resources and forced the district to work remotely, officials said.
For example, Suffolk has never had a chief information security officer in charge of all county agencies, despite a recommendation in a 2019 county-commissioned risk study that one should be hired. Instead, Suffolk had a computer security “coordinator” who was reinstated as a contractor after retiring in 2021. He moved to Florida earlier this year, but his contract with the county runs through the end of April, for an amount not to exceed $145,600, according to documents obtained by Newsday as part of a Freedom of Information Act filing.
Bellone said the county was working toward a chief security officer in 2020, but dealing with COVID-19 concerns has slowed progress as other actions that would have increased the county’s eligibility for cyber insurance have slowed. A chief security officer could be hired in the coming weeks, said county adviser Michael Balboni, who helped conduct the 2019 county systems risk assessment.
“With a decentralized system, you’re not eligible for insurance,” said Deputy County Executive Vanessa Baird-Streeter. Credit: Corey SIPkin
Deputy District Manager Vanessa Baird-Streeter said following Bellone’s comments that the district’s diverse and decentralized computer network, which spans several district offices, was also a factor in the inability to obtain insurance.
“You’re not eligible for a decentralized system,” she said, noting that the county is now working toward centralized security.
Even now, Baird-Streeter said in a statement, the county “does not currently qualify” for cyber insurance, although it does have “criminal protection insurance against computer hackers with unauthorized access attempting to transfer funds or securities to unauthorized accounts.”
Baird-Streeter said the county found that “most insurance carriers would require the county to use multi-factor authentication, which was recently rolled out,” along with patch management and vulnerability management across the organization, a chief information security officer and privileged Access across the enterprise across the enterprise, alongside a host of other factors.”
Even assuming that the county eventually meets all eligibility requirements for cyber insurance, according to Baird-Streer, the county would “need to make a business decision as to whether such insurance makes sense, taking into account premiums, exclusions from coverage, and deductibles.”
NYSAC had attempted to interest an airline in pooled county insurance, but brokers showed “little to no appetite for it,” said Mark LaVigne, deputy director of the association.
Brookhaven Town Supervisor Ed Romaine said the town had had cybersecurity insurance for several years, and “it wasn’t hard to come by,” he said. “You have to meet certain standards.”
Romaine, a Republican running for borough executive, said the city bought cybersecurity insurance because he felt it was important. “This is Government 101. It’s fundamental,” he said.
During a Sept. 7 NYSAC cyber insurance briefing, Kevin Crawford, executive director of New York Municipal Insurance Reciprocal, a state agency that provides insurance to local governments, noted that applications for cyber insurance, which used to be a half Page spanned, are now 25 to 30 pages long. All focused on a government’s “IT hygiene,” he said, referring to the state of their computer network security.
Crawford said there is an “understanding” among local government leaders that cyber insurance is “an investment we need to make,” calling cyber insurance that governments buy “vital, essential and necessary, despite the… The fact that costs are increasing in this way makes it very difficult to accommodate your budget.”
“In the short term, insurers will continue to ask more questions,” he said. “And that’s probably going to stay that way until they feel they understand the risk you’re taking with the different programs and services, the level of IT expertise you have, and the type of security you can achieve and maintain.” ”
A challenge for government, Crawford said, is “inflexible” local government budgets,
Bellone said last month he believes the county can meet that challenge.
“If it makes sense, I don’t think that if they’re presented with this and it made sense, the legislature, evaluated the risks and evaluated the potential benefits, that they’re opposed to that,” he said, adding, “That is certainly something we would consider across the board.”
By Mark Harrington and Sandra Peddie
