New York State Comptroller Thomas DiNapoli’s office has begun a review of Oyster Bay’s information technology security following a nearly two-week town computer shutdown in December.
"We have a review underway now," DiNapoli spokeswoman Jennifer Freeman wrote.
Freeman said the review, which began Jan. 4, would determine the scope of a potential audit of the town’s IT security but declined to provide details.
Last month a DiNapoli spokeswoman said it was prepared to review the town’s "information technology controls to assess if they have been properly designed, are operating effectively, and are safeguarding personal, private and sensitive information."
Town spokesman Brian Nevin wrote in an email Thursday the December outage was caused by a "nefarious" individual or individuals who had attempted to penetrate the town’s IT system. In December, town Inspector General Brian Noone said in a statement the network was shut down after "random emails" were being sent from the town’s accounts but described the problems as an "operational anomaly" and "unexplained activity." Nevin then said "the system was shut down as a precaution."
On Tuesday the town board reallocated $100,000 budgeted for salaries in the inspector general’s office to consulting fees. On Friday town spokeswoman Marta Kane in an email said the money is being set aside in case the town needs to hire a cybersecurity contractor in the future. In December the town hired New Jersey-based Enterprise Security Solutions for "about $20,000" for work during the outage, Kane said.
Nevin said the town submitted information about the December outage to its insurer, Chubb, and the town was tabulating associated costs.
The town’s cyber insurance policy had been part of a public officers liability policy through Chubb that expired Friday. The town’s insurance broker, Syosset-based Salerno Brokerage Corp. informed the town in a Jan. 20 letter Chubb would no longer offer it cyber insurance.
"Many carriers have pulled out of the Cyber marketplace for Public Entities and the ones that remain will only offer coverage after an exhaustive underwriting process reviewing the controls and practices that are in place," Salerno’s letter stated. Salerno said it will need extensive information from the town about its cyber exposure to find a stand-alone cyber insurance policy.
A 2021 report by the Council of Insurance Agents & Brokers, a trade group, said cyber insurance costs in general have gone up sharply over the past three years, with average premiums increasing by more than 27%, due to the "the prevalence of cyberattacks, specifically ransomware, phishing, and social engineering attacks."