Committee adopts amendment to shift cybersecurity bill toward assessments, sends measure to Ways and Means

Co‑Chair Nathanson on Friday opened a work session on House Bill 3,228 and, after discussion, the Joint Committee on Information Management and Technology voted to adopt a dash‑1 amendment and to report the bill to the Joint Committee on Ways and Means.

The dash‑1 amendment narrows the bill’s original focus from a broad study of public‑body cyber insurance to a program of assessments and targeted assistance. The amendment directs the Oregon Cybersecurity Advisory Council to conduct more detailed assessments that identify and document cybersecurity vulnerabilities and “recommend actions to address the reasons that public bodies are unable to meet cybersecurity insurance coverage requirements,” and it extends the advisory council’s reporting deadline to the interim committees of the Legislative Assembly from December 31, 2025, to September 30, 2026. The amendment also extends a scheduled repeal date from January 2, 2026, to January 2, 2027, and allows monies in the Cybersecurity Resilience Fund to pay for assessments, documentation of coverage shortfalls and cybersecurity training in addition to the fund’s originally listed uses.

Why it matters: Committee members said many smaller local governments, school districts and special districts still cannot meet insurers’ underwriting requirements even as more cyber‑insurance options have become available. The adopted amendment is intended to catalogue needs, create road maps for remediation and target limited state resources where they are most needed before the state considers larger subsidy or insurance‑pool measures.

Committee discussion and expert testimony

Committee staff summarized the amendment’s changes before the witnesses spoke. ‘‘If that amendment were to be adopted … the Oregon Cybersecurity Advisory Council would instead be directed to conduct more detailed assessments to identify and document cybersecurity vulnerabilities and recommend actions to address the reasons that public bodies are unable to meet cyber security insurance coverage requirements,’’ staff member Sean told the panel.

Frank Stratton, executive director of the Special Districts Association of Oregon, said statewide public‑entity insurance pools already provide a basic backstop that many smaller entities could not obtain on the commercial market but that higher coverage levels require meeting underwriting standards. ‘‘We’ve put together very, options, and 1 is very basic option … you don’t have to meet really any underwriting requirements to get that very basic level of coverage,’’ Stratton said, adding that ‘‘there’s a whole lot of entities … that can’t get up to another level and wouldn’t be able to buy cyber insurance without us.’’

Greg Hart, cybersecurity specialist with City County Insurance Services, said the amendment and the center’s assessments could increase the number of counties that qualify for higher coverage. ‘‘On the counties, yes, it would potentially get us to’’ higher coverage levels, Hart said, noting the pool’s coverage limits ‘‘go up to 2,000,000’’ and that some larger counties may need higher limits from other markets.

Biroli Shilada, director of the Oregon Cybersecurity Center of Excellence and a professor at Portland State University, described the proposed scope and cost of the assessment program. He said the center’s initial assessments are designed as a first pass to identify shortcomings and to produce an individualized report for each assessed entity. ‘‘This is not going to be an … thorough 3 week long assessment … but give us … to identify what are the shortcomings,’’ Shilada said, adding that the proposal budgets about $1.7 million to run assessments and that remediation costs would vary ‘‘from very 1,500, low cost, or it could be very, very expensive depending on each vulnerability assessed.’’ He said the center would use supervised students paid about $15 to $25 an hour to keep costs low and contrasted that with private consultants who ‘‘could be running anywhere from 400 to a thousand dollars an hour.’’

Committee action

Senator Manning moved adoption of the dash‑1 amendment to House Bill 3,228; the motion passed with no recorded objections. Manning then moved that the bill be reported out ‘‘with a due pass as amended recommendation and be referred to the Joint Committee on Ways and Means by prior reference.’’ The committee approved that motion and the bill was sent to Ways and Means.

What the amendment does and next steps

The amendment refocuses the bill on documenting vulnerabilities, producing entity‑level reports and supporting training; it pushes the advisory council’s report deadline to September 30, 2026; extends a statutory repeal date to January 2, 2027; and allows fund monies to pay for assessments and training. The committee did not adopt additional appropriations on the floor; the bill will now move to Ways and Means for budget consideration.

Committee members and witnesses repeatedly emphasized that assessment reports will give agencies and local governments a roadmap for remediation and that some fixes—training, administrative changes or use of state contracts—can be implemented quickly while equipment or infrastructure upgrades may require additional funds or federal grants. The committee closed the work session and moved on to other hearings.