Self-Insurance, Grant Planning on States’ Cyber ​​Agendas

States are turning to self-insurance as cyber policies raise costs and reduce coverage, Colorado CISO Ray Yepes said at the event. FedInsider group yesterday.

“Almost every state has self-insured, and if they don’t, they’re working to get self-insured,” Yepes said.

Colorado itself saw its insurance premiums quadruple from $500,000 last year to $2 million this year and the premium plan was also cheaper, coming with higher deductibles and reduced coverage and benefits.

Countries are facing risks where prices will continue to rise and cyber insurance will become scarce. Colorado had to change insurers starting this year to find a company willing to cover them, Yepes said, adding that some CISOs have encountered insurers removing ransomware from their cyber systems.

“To me, if you’re going to get cyber insurance, that’s the main reason you want to get it — it’s ransomware,” Yepes said.

This is not limited to the US Global Lloyd’s of London insurance market he says issued an order recently that advises insurance companies that sell on its platform to exclude government-sponsored cyber security services, or those that cause other problems. The rules will come into force in March 2023.

Public agencies have a unique opportunity to switch to their own insurance instead, Yepes said, because of the number of backup resources if its reserves are exhausted.

“If you’re in the state, I’d imagine you’re getting insurance for your state, your agency, your city,” Yepes said.

Instead of Colorado paying a large amount each year, Yepes wants the state to set aside the money for an insurance fund that will pay each year. If a cyber incident turns out to be more expensive than these costs can grow, the government can tap into its emergency funding mechanism. States often have large disaster or emergency funds, up to $50 million or more, he said.

And these resources are not the last resort. Governors can declare the crisis to help deal with a problem that needs more money, turn to federal law enforcement agencies like the Secret Service and the FBI for help and fire up the National Guard and its cyber experts, Yepes said.

Another tip in favor of self-insurance? States don’t have to use vendors chosen by their insurers, which frees them up to use companies with existing relationships, Yepes said. This means that the vendors who are brought in during an emergency are those who already know the state’s procedures.

Yepes said that he wants to provide the governor of Colorado with legislation that provides a self-insurance program.


Yepes came to Colorado in April, with a resume that includes five years as CISO of the Texas Department of Family and Protective Services. This change showed him the difference between working under Texas’ decentralized IT infrastructure and Colorado’s centralized model.

A standard implementation sees each organization have its own IT staff, systems and processes, with each government IT department focused on providing key policies and guidelines. Centralized state IT is approaching, at this time, see the IT department of one state as the main source of IT processes, management, services and personnel.

This decision could have a significant impact on cybersecurity, Yepes said.

“One of the best things [of centralized infrastructure] that is security,” he said.

The central IT department has a lot of control, which helps to implement the policies quickly.

“One of the [the impacts] people don’t realize it’s the speed of decision making. The central organization is very fast, “said Yepes. “Comments will be used within two hours in different groups or organizations or organizations that you are working with.”


As federal and state governments prepare to regulate the Internet, many are looking forward to long-promised cybersecurity aid, which is slated to be delivered this year under the Infrastructure Investment and Jobs Act (IIJA).

Virginia’s Deputy Secretary of Cybersecurity, Aliscia Andrews, said she knows that cybersecurity weaknesses between regions also put people at risk, and she is working now to find the unique challenges and needs of each region. Andrews is working to visit all 133 regions in 60 days, to talk to CISOs and CIOs in their regions about their implementation, their concerns and their aspirations from the upcoming grant.

Virginia Deputy Secretary of Cybersecurity Aliscia Andrews speaks at a small group.

“We’re asking communities what they need,” Andrews said. “My Commonwealth tour… [aims] know what they need, the opportunities we have, and how they can use public money to benefit them. “

Another part is establishing processes designed to make it easier for communities to apply for funding when it becomes available, including establishing a support group and documenting useful information, Hernandez said.

Alaska CISO Chris Letterman said his state is working to better identify its regions and hopes federal aid will help with that.

“One of the things that the SLTT grant gives us is on the way to show the world about cybersecurity,” he said.

Alaska wants to look first at creating an advisory board to inform local needs and help improve its cybersecurity plan. Letterman said it will be important for the council to include voices from areas where one person manages IT roles along with multiple other roles.

His near-term goals in Alaska include improving the ability to protect the information of state employees and residents, using a trustless approach to protect remote workers and increasing training, tablet exercises and other public employee awareness efforts. .

Letterman added that uncertainty over when the money would arrive has created some obstacles, but said the money “has a lot of potential.”

“We’re still kind of in a start-and-stop feeling with the federal government’s word on when the Financial Opportunity will actually hit the road,” Letterman said. “And that will tell us a lot about how we can address some of the needs and fulfill some of the things that the SLTT grant has.”