Citizen Portal
Sign In

State CISO reports 77 incident reports since 2021; phishing remains top vector, one active ransomware case

Legislative IT Committee · March 26, 2026

Get AI-powered insights, summaries, and transcripts

Sign Up Free
AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

NDIT's chief information security officer told the committee that 77 incident reports have come through since mandatory reporting began, 47 met the statutory reporting threshold, phishing accounted for the largest share, and one active ransomware incident was reported in March 2026.

Chris Gergen, North Dakota's Chief Information Security Officer, briefed the Legislative IT Committee on the state's mandatory cybersecurity incident reporting process and recent notable intrusions.

Gergen said 77 incidents have been reported to NDIT through the mandated channel since August 2021; after triage, 47 of those met the statutory definition that requires formal reporting to the agency. "Not all of those meet the actual letter of the law," he said, describing the difference between citizen reports (which NDIT refers to law enforcement) and incidents that trigger state assistance.

Phishing was the single largest incident category, followed by quarantined email events and XDR (extended detection and response) alerts. Gergen described several notable incidents the team responded to in 2024 and 2025: the PowerSchool compromise (January 2025), SimpleHelp vulnerabilities that led to school intrusions (February 2025), a court intrusion that was detected and mitigated (April 2025), a Windows Server Update Services vulnerability exploited in October 2025, and a K–12 business‑email compromise in November 2025. He said the state had helped affected entities with containment, patching, access restrictions and guidance on disclosure requirements.

On more recent activity, Gergen said all previously reported incidents have been resolved or closed except for one active ransomware incident reported in March 2026. "All of the incidents that have been reported to us... have been resolved or closed, except for one exception, which is a ransomware incident that was just reported to us here in March '26," he said.

Gergen urged broader promotion of the mandatory reporting process (navigable via a "report an incident" button on NDIT's site), wider adoption of multifactor authentication and expanded security awareness training. He also described automation gains: approximately 39.4% of incidents are closed by automation, freeing analysts to focus on complex investigations.

Committee members asked about recovery of monetary losses in cases of ransomware and business email compromise. Gergen said timeliness is essential for recovery and that most funds are not recovered: "more often than not, the funds are not recovered," he said, though prompt action and cooperation with financial institutions and federal partners can increase recovery chances.

The committee asked NDIT to return with metrics on statewide maturity assessments, conditional access and MFA adoption across political subdivisions; staff agreed to follow up.