Public Sector Risk

Public Sector Upgrading Cyber Security

States have launched initiatives ranging from cyber academies and public-private partnerships to dashboards, and cyber preparedness and response plans.
By: | October 28, 2016 • 5 min read

Public sector risk managers and experts alike say much more needs to be done about cyber security to translate awareness into concrete actions that protect sensitive data.

Advertisement




Only one-third (29 percent) of IT managers in state governments provide their governors with monthly reports on cyber security, compared with only 17 percent in 2014, according to a joint report from Deloitte and the National Association of State Chief Information Officers (NASCIO).

That level of communication has not yet extended to state legislatures, according to the study, “State Governments at Risk: Turning Strategy and Awareness into Progress,” which surveyed 96 state business and elected officials.

Nearly one-third of respondents said they “never communicate” with their legislatures, unchanged from 2014 — which is “an important consideration, given the legislature’s role in appropriating funds,” according to the report.

Still, many states are starting to act and make progress in areas visible to governors.

More than half (54 percent) of respondents said they have implemented at least some of the cyber security recommendations by the National Governors Association, compared with only one-third (33 percent) in 2014.

Mark Raymond, chief information officer, State of Connecticut

Mark Raymond, chief information officer, State of Connecticut

Governors in a number of states have launched initiatives ranging from state cyber academies and public-private partnerships to dashboards, and preparedness and response plans.

The 2016 survey results are the first time there is “some significant traction around the issue,” said Mark Raymond, chief information officer for the State of Connecticut and president of the National Association of State Chief Information Officers based in Lexington, Ken.

“It’s not just about the increased risk and threat, but there are states that are making positive progress in articulating a strategy to increase awareness around what they are doing to reduce the risk,” Raymond said.

Public entities need to take a hard look at all of their computer technology — both hardware and software — and question the totality of access and whether each individual’s access is necessary and appropriate, said Marilyn Rivers, risk manager for the city of Saratoga Springs, N.Y.

“Risk managers need to take a trip to their server rooms and examine the security and access,” Rivers said. “Ask about password control and the regular backup of the information that flows throughout their organizations on an hourly and daily basis.

“Ask how your organization protects itself from all the hand-held mobile devices your employees use or the laptops taken home for work projects,” she said.

She said public sector risk managers should have a plan for what would happen if information stops flowing throughout the organization. Do you have a backup separate from the live system? Can your government recreate itself if held hostage?

Rivers also said public sector risk managers should examine access to websites, including which websites are visited by employees and what tracking cookies are involved.

“Every public entity is facing an urgent cyber crisis that is dynamic and in constant change,” Rivers said. “It is vitally important to all of us as we govern collectively to identify our network access and vulnerabilities and invest in technology and people to assist us in managing this global risk frontier.”

Barry Scott, deputy director of finance and risk manager, City of Philadelphia

Barry Scott, deputy director of finance and risk manager, City of Philadelphia

It is also important for public sector risk managers to invest in a comprehensive insurance program that assists in mitigating and managing the cost of the risks their governmental entity faces, she said.

Barry Scott, deputy director of finance and risk manager for the City of Philadelphia, said that it’s critical that his team strives “to ensure that every city department bears the responsibility for managing information correctly.”

“The first layer is trying to make sure that people are smart in how they manage the information we have about residents and businesses in the city, and storing the information in the proper format,” Scott said. “That helps work with the IT layer, so that appropriate security can be placed to protect that information.”

The public sector also faces a somewhat unique set of challenges — in order to add more resources to the organization’s capabilities, the tax base needs to be engaged, he said.

“Our citizens need to be aware that the services they seek, namely, the ease of access to their information that automated systems bring, have some issues in terms of security and protection — and those services have a cost which we as citizens have to bear,” Scott said.

“One of our biggest challenges as a public entity with finite resources is getting the best value in our resources — and in an increasingly digital world, cyber security is a priority.”

Advertisement




Raymond of NASCIO recommended that IT professionals and risk management departments in the public sector measure where their organizations are on the “cyber risk scale,” what kind of data they have and how they are protecting it.

“You can’t improve the things that are you are not measuring,” Raymond said. “Once you understand the value of that data, you need to determine what controls are needed to be put in place to protect the data.”

Then IT and risk management need to articulate their strategies to the executive management team in a way that enables them to understand both the threat and the efforts around it in a concise manner, he said.

Once executive management clearly understands what can be done about cyber security risks, they can appropriately prioritize resources to reduce exposure.

“States not only have to mitigate for financial risk of data loss or theft from state accounts, but also for the loss of data containing people’s personal information from many sources like birth and death certificates,” Raymond said.

Kristin Judge, director of special projects, National Cyber security Alliance

Kristin Judge, director of special projects, National Cyber security Alliance

“State governments also need to be aware of how cyber attacks can result in lost productivity, lost trust of government, and increased risk of bad decisions — such as a cyber criminals directing the state to let someone out of jail who isn’t supposed to be, or putting someone in jail that’s not supposed to be there.”

Kristin Judge, director of special projects at the National Cyber Security Alliance in Washington, D.C., said her group stresses to public sector risk managers that they must communicate that their entire governmental organization has responsibility for cyber security, and that all workers must be part of the solution.

“We want people to create a culture of cyber security, and just as they have fire drills, they should also have cyber security drills like checking the quality of backups and the process for restoring data, for example,” Judge said.

“It’s also very important to have training, as 90 percent of attacks do not come from sophisticated code meant to break through IT security systems, but rather from employees just clicking on phishing emails — so 90 percent of attacks can be stopped by trained staff.”

Katie Kuehner-Hebert is a freelance writer based in California. She has more than two decades of journalism experience and expertise in financial writing. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

2017 RIMS

RIMS Conference Opens in Birthplace of Insurance in US

Carriers continue their vital role of helping insureds mitigate risks and promote safety.
By: | April 21, 2017 • 4 min read

As RIMS begins its annual conference in Philadelphia, it’s worth remembering that the City of Brotherly Love is not just the birthplace of liberty, but it is the birthplace of insurance in the United States as well.

In 1751, Benjamin Franklin and members of Philadelphia’s first volunteer fire brigade conceived of an insurance company, eventually named The Philadelphia Contributionship for the Insurance of Houses from Loss by Fire.

Advertisement




For the first time in America — but certainly not for the last time – insurers became instrumental in protecting businesses by requiring safety inspections before agreeing to issue policies.

“That included fire brigades and the knowledge that a brick house was less susceptible to fire than a wood house,” said Martin Frappolli, director of knowledge resources at The Institutes.

It also included good hygiene habits, such as not placing oily rags next to a furnace and having a trap door to the roof to help the fire brigade fight roof and chimney blazes.

Businesses with high risk of fire, such as apothecary shops and brewers, were either denied policies or insured at significantly higher rates, according to the Independence Hall Association.

Robert Hartwig, co-director, Center of Risk and Uncertainty Management at the Darla Moore School of Business, University of South Carolina

Before that, fire was generally “not considered an insurable risk because it was so common and so destructive,” Frappolli said.

“Over the years, we have developed a lot of really good hygiene habits regarding the risk of fire and a lot of those were prompted by the insurance considerations,” he said. “There are parallels in a lot of other areas.”

Insurance companies were instrumental in the creation of Underwriters Laboratories (UL), which helps create standards for electrical devices, and the Insurance Institute for Highway Safety, which works to improve the safety of vehicles and highways, said Robert Hartwig, co-director, Center of Risk and Uncertainty Management at the Darla Moore School of Business at the University of South Carolina and former president of the Insurance Information Institute.

Insurers have also been active through the years in strengthening building codes and promoting wiser land use and zoning rules, he said.

When shipping was the predominant mode of commercial transport, insurers were active in ports, making sure vessels were seaworthy, captains were experienced and cargoes were stored safety, particularly since it was the common, but hazardous, practice to transport oil in barrels, Hartwig said.

Some underwriters refused to insure ships that carried oil, he said.

When commercial enterprises engaged in hazardous activities and were charged more for insurance, “insurers were sending a message about risk,” he said.

In the industrial area, the common risk of boiler and machinery explosions led insurers to insist on inspections. “The idea was to prevent an accident from occurring,” Hartwig said. Insurers of the day – and some like FM Global and Hartford Steam Boiler continue to exist today — “took a very active and early role in prevention and risk management.”

Whenever insurance gets involved in business, the emphasis on safety, loss control and risk mitigation takes on a higher priority, Frappolli said.

“It’s a really good example of how consideration for insurance has driven the nature of what needs to be insured and leads to better and safer habits,” he said.

Workers’ compensation insurance prompted the same response, he said. When workers’ compensation laws were passed in the early 1900s, employee injuries were frequent and costly, especially in factories and for other physical types of work.

Because insurers wanted to reduce losses and employers wanted reduced insurance premiums, safety procedures were introduced.

“Employers knew insurance would cost a lot more if they didn’t do the things necessary to reduce employee injury,” Frappolli said.

Martin J. Frappolli, senior director of knowledge resources, The Institutes

Cyber risk, he said, is another example where insurance companies are helping employers reduce their risk of loss by increasing cyber hygiene.

Cyber risk is immature now, Frappolli said, but it’s similar in some ways to boiler and machinery explosions. “That was once horribly damaging, unpredictable and expensive,” he said. “With prompting from risk management and insurance, people were educated about it and learned how to mitigate that risk.

“Insurance is just one tool in the toolbox. A true risk manager appreciates and cares about mitigating the risk and not just securing a lower insurance rate.

“Someone looking at managing risk for the long term will take a longer view, and as a byproduct, that will lead to lower insurance rates.”

Whenever technology has evolved, Hartwig said, insurance has been instrumental in increasing safety, whether it was when railroads eclipsed sailing ships for commerce, or when trucking and aviation took precedence.

The risks of terrorism and cyber attacks have led insurance companies and brokers to partner with outside companies with expertise in prevention and reduction of potential losses, he said. That knowledge is transmitted to insureds, who are provided insurance coverage that results in financial resources even when the risk management methods fail to prevent a cyber attack.

Advertisement




This year’s RIMS Conference in Philadelphia shares with risk managers much of the knowledge that has been developed on so many critical exposures. Interestingly enough, the opening reception is at The Franklin Institute, which celebrates some of Ben Franklin’s innovations.

But in-depth sessions on a variety of industry sectors as well as presentations on emerging risks, cyber risk management, risk finance, technology and claims management, as well as other issues of concern help risk managers prepare their organizations to face continuing disruption, and take advantage of successful mitigation techniques.

“This is just the next iteration of the insurance world,” Hartwig said. “The insurance industry constantly reinvents itself. It is always on the cutting edge of insuring new and different risks and that will never change.” &

Anne Freedman is managing editor of Risk & Insurance. She can be reached at [email protected]