Dedicated to ensuring CIS members have access to cyber coverage.

CIS Cyber Program 

Oregon public entities continue to suffer through cyberattacks. Because the cyber insurance market has struggled, CIS has made changes to its cyber program.
 
Beginning July 1, 2022, cyber liability coverage will be under the property-line umbrella, rather than liability — and will give members three-tiered choices for coverage. 
 
Options Description
Tier One $50,000 in coverage; no application required
Tier Two $200,000 additional coverage; An application and Discovery assessment required
Tier Three Still working on securing Excess Cyber at this time; application required
 

Tier One:

  • $50,000 of cyber liability coverage
  • Members must have CIS property coverage
  • Members will be charged for this coverage
  • Encourage cybersecurity best practices
  • Offer grants for cybersecurity testing 
  • Members should adopt a Cybersecurity Policy
  • Members are not required to complete the application to purchase the Tier One limit
  • This is optional coverage for members
  • A pool aggregate of $5 million applies 

Tier Two (Optional Cyber Program):

  • $250,000 ($200,000 excess of $50,000) of cyber liability coverage
  • Members must have CIS property coverage
  • Members will provide an additional contribution
  • An application is required*
  • This tier will be self-funded with no reinsurance back-up 
  • This is optional coverage for members
  • A pool aggregate of $5 million applies 
  • Cybersecurity risk management practices (see Requirements) MUST be in place to qualify for this higher limit of coverage
  • Members must pay $500 for “cyber discovery,” which will verify these risk management practices are in place (scheduled after application has been reviewed and approved)

Tier Three (Proposed; Seeking Reinsurance):

  • CIS is working to secure Excess Cyber at this time
  • Members must have CIS property coverage
  • An application will be required*
  • This will be fully insured, excess cyber above $250,000 from a commercial insurance company  
  • Premiums will be established by the insurance company and passed onto members
  • Coverage will be obtained through OPEEP
  • Limits and premium will be whatever the commercial insurance market provides (CIS staff expects to see higher excess cyber premiums)
  • Cybersecurity risk management practices (see Requirements) MUST be in place to qualify for this higher limit of coverage
 

*IMPORTANT!

All risk controls asked about on the Cyber application must be in place or the application will be declined.
 
The member will not move forward to the next step of receiving a Discovery Assessment until the application confirms all risk controls are implemented.
 
The Discovery Assessment is simply a tool to corroborate the member’s risk controls are in place and working as expected.
 

REQUIREMENTS (Tiers Two/Three)

CIS has implemented new requirements for members to receive CIS Cyber Coverage at the Tier Two and Tier Three level.
 
  1. Pass “Discovery Assessment” with satisfactory score. The discovery assessment is completed by an independent IT vendor to verify the following cybersecurity measures are in place. The cost will be $500 paid by the member and arranged by CIS Underwriting.
  2. Multi-factor authentication
    • Remote access
      • VPN access only 
      • MFA for access
      • Network level authentication enabled 
      • Privileged account access
    • Laptops 
    • Email
  3. Endpoint protection, detection, and response product implemented across enterprise with 24/7/365 response (EDR)
  4. Backups:
    • 3 copies; 2 offsite (geo-diverse), 1 onsite (source)
    • At least one copy stored offline or in a cloud service designed for this purpose 
    • Tested at least twice a year
    • Protected with antivirus or monitored on a continuous basis 
    • Encrypted
  5. Adopt CIS Cybersecurity Policy or similar:
    • Tabletop drill annually 
    • Password strategy
  6. Training:
    • CIS Learning Center — Cybersecurity Basics (or similar)
    • Finance staff training on Fraudulent Instruction
  7. Testing: (Reflare provides for a fee)
    • Semi-annual phishing test (CISA provides for free)
    • Annual remote penetration testing (CISA provides for free)
  8. Critical and high severity patches installed within 30 or fewer days
  9. Plan or adequate measures in place to protect end of life software
  10. Have at least $250,000 of excess crime insurance for fraudulent instruction coverage