Suffolk exec-elect Romaine pushing for county to qualify for cyberinsurance

Suffolk County Executive-elect Ed Romaine plans to fortify the county's cybersecurity infrastructure in a way that would allow the sprawling computer network to be insured against cyberattacks for the first time, according to recent correspondence.

In a Nov. 27 letter to Suffolk’s current chief information security officer, Romaine requested answers to a series of questions about the state of Suffolk’s cybersecurity preparedness, and said it was his goal to make Suffolk the “most secure county in New York State.”

“Chief among these goals is obtaining cyber-insurance for Suffolk County as soon as possible,” Romaine wrote, according to the letter obtained by Newsday.

Newsday has reported that Suffolk had attempted to obtain cyberinsurance but was deemed ineligible because, among other things, it lacked a chief information security officer (CISO) and certain fundamental protections such as multi-factor authentication, which verifies the identity of users on the network using means outside the network.

“What they [insurers] require in order to insure you, the level of protections you need in place, the sophistication of systems, the hardware, the best practices that clearly were not being employed here," County Executive Steve Bellone told Newsday in February.

Suffolk has since hired a CISO, Kenneth Brancik, and it has instituted multi-factor authentication and a series of other upgrades. Suffolk County spokeswoman Marykate Guilfoyle said Brancik told her he had yet to receive Romaine's letter, which a Romaine spokesman, Michael Martino, said was sent last week via email. 

“We are hopeful the legislature will adopt the legislation we've proposed to give the CISO authority to enforce cybersecurity throughout the network, something that is necessary for the county to obtain insurance,” Guilfoyle said in a statement.

Newsday last week reported that Suffolk’s multi-factor authentication vendor, Okta, which was installed last year at an estimated $800,000 cost, was itself the victim of a breach that led to certain customer data being potentially compromised. 

Among the long list of requests Romaine had for Brancik was a “full audit of the condition” of Suffolk’s technology, for both security and operational purposes.

Internal Suffolk reviews of the county’s technology infrastructure had recommended appointing a chief information security officer at least four years ago, but Suffolk only filled the role earlier this year — after a Sept. 8, 2022, ransomware attack caused widespread damage to county networks. Brancik was hired after a monthslong search that was conducted with the help of consultant and lobbyist Michael Balboni, Newsday has reported.

Romaine asked Brancik if the county had an incident-response plan in place and if it had been updated since the breach. He also asked whether the county implemented security-awareness training and if there’d been a third-party audit of county technology since the 2022 attack. 

In addition, Romaine asked if the county had contracted for any third-party penetration testing recently, to determine if new systems installed at an estimated cost of up to $17 million since then have protected the networks.

Some of the questions Romaine is asking may be answered by a report being prepared by a committee of the Suffolk Legislature probing the 2022 cyberattack. Legis. Anthony A. Piccirillo (R-Holtsville), who chairs the committee, said it's likely the report will be publicly released early next year.

By Mark Harrington

mark.harrington@newsday.comMHarringtonNews

Mark Harrington, a Newsday reporter since 1999, covers energy, wineries, Indian affairs and fisheries.