Lack of insurance may have signaled Suffolk's vulnerability to cyberattack

Suffolk County’s potential vulnerability to a cyberattack might have been signaled in the months and years leading up to the September ransomware attack through the lack of something most homeowners wouldn’t dream of being without: insurance. 

The county has never had a dedicated cyber-insurance policy to cover events such as the crippling ransomware attack, a fact that security and insurance experts say increased its vulnerability because the policies require a thorough assessment of an organization's security measures and infrastructure. 

Suffolk officials acknowledged the county's decentralized networks had lacked key security components deemed essential to obtain cyber insurance, so the county never qualified.

“We simply wouldn’t be eligible for it,” County Executive Steve Bellone said in response to Newsday questions last month. “What they [insurers] require in order to insure you, the level of protections you need in place, the sophistication of systems, the hardware, the best practices that clearly were not being employed here.” 

Asked if the county had applied for insurance, Bellone said, “We did not apply.” 

Collectively, experts said, the shortcomings identified by Suffolk that led to its ineligibility for insurance pointed to a level of vulnerability that ultimately was exploited. 

“If you want to insure a building, the building has to be up to code,” said Justin Cappos, an associate professor of computer science and engineering at the Tandon School of Engineering at New York University. He and others were puzzled by Bellone’s statement that the county was “ineligible.”

“It’s a little like saying, ‘No one would give me auto insurance,' " Cappos said. "It would make one wonder, ‘Do you have a license? Do you have a history of car crashes?' "

Policies for cyber insurance that cover some of the costs of ransomware attacks such as the one Suffolk endured on Sept. 8 have become relatively common, as attacks have increased and companies and governments look to limit their exposures.

The New York State Association of Counties, of which Suffolk is a member, last fall surveyed its more than 60 members about cyber insurance. Of the 26 entities that responded, 21 had cyber insurance: 12 had $1 million in cyber coverage, five had $5 million worth, two had $2 million in coverage and one each had $500,000 and $3 million. Five had no coverage at all.

But costs for the insurance are spiraling, experts say, and so are the complexities of applying for it. Like some life insurance policies, they require long-form questionnaires that delve deeply into an entity's computer infrastructure to specify its level of preparedness.

Cappos said organizations seeking cybersecurity insurance need to show that they have certain controls and protections in place before they get it. “If you’re willing to put in the right controls, you can get it,” he said, postulating, "I would imagine there were issues of severe concern."

"I've never heard of anybody being 'ineligible,' " agreed Robert Rivera, an insurance broker from Port Jefferson Station who sells cyber insurance. He said he recently had one client whose renewal for cyber insurance was declined, "But I still found another company for half of what they were paying" to provide a policy. 

Dan Levy, security architect at Sourcepass, a managed service provider of information technology, said his company has never had a client rejected for cybersecurity insurance, even after a breach.

Levy said entities seeking cybersecurity insurance typically have to fill out a questionnaire. “The answers that are provided either raise or lower the cost. They don’t disqualify the client.”

Suffolk County officials have said they believed that shortcomings in the security infrastructure largely disqualified the county from even applying for insurance, and delays in implementing security upgrades were largely attributed to dealing with the COVID-19 pandemic, which diverted resources and required the county to work remotely, officials said.

For instance, Suffolk has never had a chief information security officer with control over all county agencies, despite a recommendation in a 2019 risk study commissioned by the county to hire one. Instead, Suffolk’s had a computer security “coordinator,” who was rehired as a contractor once he retired in 2021. He moved to Florida earlier this year, but his contract with the county runs through the end of April, for an amount not to exceed $145,600, according to documents Newsday received under a Freedom of Information Law request.

Bellone said the county had been working toward a chief security officer in 2020, but dealing with COVID-19 concerns slowed the progress, as it slowed other measures that would have increased the county's eligibility for cyber-insurance. A chief security officer could be hired in coming weeks, said county consultant Michael Balboni, who helped conduct the 2019 risk assessment of county systems.

Deputy County Executive Vanessa Baird-Streeter, in a follow-up to Bellone's remarks, said the county’s disparate and decentralized computer network, spread across multiple county agencies, also was a factor in not being able to obtain insurance.

“With a decentralized system, you’re not going to be eligible,” she said, noting that the county is now working toward centralized security.

Even now, Bellone said in a statement, the county "does not currently qualify" for cyber insurance, though it does have "crime protection insurance against computer hackers with unauthorized access who attempt to transfer funds or securities to unauthorized accounts." 

Bellone said the county found "most insurance carriers would require the county to have multi-factor authentication, which was recently deployed," along with patch management and vulnerability management across the entire enterprise, a chief information security officer and privileged access across the entire enterprise, among a number of other factors."

Even assuming the county eventually meets all of the eligibility requirements for cyber insurance, Bellone said, the county would then need to make "a business determination about whether such insurance makes sense considering premiums, exclusions from coverage, and deductibles."

NYSAC had attempted to interest a carrier in pooled insurance for counties, but brokers indicated “little to no appetite for it,” said Mark LaVigne, deputy director for the association.

Brookhaven Town Supervisor Edward P. Romaine said the town has had cybersecurity insurance for several years, and "It wasn’t hard to get,” he said. “You have to meet certain standards.”

Romaine, a Republican who is running for county executive, said the town bought cybersecurity insurance because he deemed it important. “This is government 101. It’s basic,” he said.

Nassau County does not have cyber insurance, according to a spokesman for County Executive Bruce Blakeman.

During a Sept. 7 NYSAC cyber insurance briefing, Kevin Crawford, executive director of the New York Municipal Insurance Reciprocal, a state agency that provides insurance for local governments, noted that applications for cyber insurance, which used to be a half page, now run 25 to 30 pages long. All of them centered on a government’s “IT hygiene,” he said, referring to the state of its computer network security.

Crawford said there's an "understanding" among local government leaders that cyber insurance is "an investment that we have to make" and called cyber insurance that governments buy "critically important, essential and necessary, despite the fact that the costs are increasing in ways that make it very difficult for your budget to accommodate.”

“Short term, insurers will continue to ask more questions,” he said. “And that’s probably going to continue until they feel they have an understanding of what risk you’re presenting with the various programs and services you have and what is the IT expertise you have and whatever kind of security you’re able to obtain and maintain.”

One challenge for government, Crawford said, was "inflexible” local government budgets,

Bellone last month said he believes the county can overcome that challenge. 

“If it makes sense, I don’t think the legislature, if they’re presented with it and it made sense, the risks were evaluated and the potential rewards were evaluated, that they would be opposed to that,” he said, adding, “It’s certainly something we would consider down the line.”