Oregon Cybersecurity Center plans assessments for local governments' insurance eligibility

The Joint Committee on Information Management and Technology convened on April 18, 2025, to discuss critical issues surrounding cybersecurity coverage for local governments in Oregon. The meeting focused on the challenges faced by smaller entities in obtaining adequate cyber insurance and the proposed solutions to enhance their cybersecurity posture.

The session began with a presentation highlighting the current state of cyber insurance availability for local governments. It was noted that many entities lack sufficient coverage, with only 36% reportedly insured. The committee discussed the importance of a basic level of cyber coverage, which is currently provided by nonprofit organizations like City County Insurance Services (CIS). These organizations fill a significant gap, offering coverage options that do not require stringent underwriting, thus allowing many smaller entities to participate.

Greg Hart, a cybersecurity specialist with CIS, emphasized that without these nonprofit services, many local governments would struggle to secure any form of cyber insurance. He indicated that while basic coverage is available, many entities are unable to meet the requirements for higher levels of protection, which are essential for mitigating risks associated with cyber threats.

The committee also explored the financial implications of upgrading cybersecurity measures. Biroli Shilada, a professor at Portland State University, outlined the costs associated with conducting cybersecurity assessments for approximately 1,500 entities. He noted that while the initial assessment could be relatively low-cost, the subsequent upgrades needed to address vulnerabilities could run into millions of dollars. The committee acknowledged that many rural communities may not have the budget to hire external consultants for these assessments, making the proposed student-led assessments a viable alternative.

Concerns were raised about the potential risks of creating a database of vulnerabilities, which could inadvertently expose entities to cyber threats. Shilada assured the committee that all data collected would be securely held and not accessible outside the United States, addressing fears about privacy and security.

The discussion also touched on the need for awareness training for staff in local governments, as human error is a significant factor in cybersecurity breaches. The committee agreed that providing training and resources would be crucial in helping these entities improve their cybersecurity practices.

In conclusion, the meeting underscored the urgent need for enhanced cybersecurity measures among local governments in Oregon. The committee plans to continue exploring ways to support these entities, including potential legislative actions to facilitate better access to cyber insurance and resources for improving cybersecurity infrastructure. The next steps will involve further discussions on the implementation of training programs and the establishment of partnerships with private sector vendors to provide low-cost solutions for local governments.