Property & Liability
Cyber Coverage
Dedicated to ensuring CIS members have access to cyber coverage.
CIS Cyber Program
Oregon public entities continue to suffer through cyberattacks. CIS has made changes to our cyber program in response to changing member needs and the evolving cyber insurance market. CIS also offers cyber risk management services for members with cyber coverage and those seeking compliance for Tier Two coverage.
We offer members two choices for coverage.
| Options | Description |
|---|---|
| $100,000 in coverage; no application required | |
| Excess Cyber over $100,000; application required |
Tier One:
-
$100,000 of cybersecurity coverage
-
Members must have CIS property coverage
-
Members will be charged for this coverage
-
Encourage cybersecurity best practices
- Members should adopt a Cybersecurity Policy
-
Members are not required to complete the application to purchase the Tier One limit
-
This is optional coverage for members
-
No pool aggregate applies
Tier Two:
- Members can purchase up to $2m in limit
- Members must have CIS property coverage
- This is a fully insured, excess cyber above $100,000 from a commercial insurance company
- Premiums are established by the insurance company and passed onto members
- An application is required*
- This is optional coverage for members
- A pool aggregate of $10 million applies
- Certain cybersecurity risk management practices MUST be in place to qualify for this higher limit of coverage. Additional cybersecurity risk management practices are strongly recommended
| Available Limits | |||||
| Tier 1 (No Aggregate) | $100,000 | $100,000 | $100,000 | $100,000 | $100,000 |
| Tier 2 ($10m Aggregate) | $250,000 | $500,000 | $750,000 | $1,000,000 | $2,000,000 |
| Total | $350,000 | $600,000 | $850,000 | $1,100,000 | $2,100,000 |
| Data Breach Incident Response | $350,000 | $600,000 | $850,000 | $1,100,000 | $2,100,000 |
| Network Security, Privacy, and Data Breach Liability | $350,000 | $600,000 | $850,000 | $1,100,000 | $2,100,000 |
| Regulatory Liability | $350,000 | $600,000 | $850,000 | $1,100,000 | $2,100,000 |
| PCI Fines and Assessments | $350,000 | $600,000 | $850,000 | $1,100,000 | $2,100,000 |
| Data Restoration | $350,000 | $600,000 | $850,000 | $1,100,000 | $2,100,000 |
| Cyber Extortion | $350,000 | $600,000 | $850,000 | $1,100,000 | $2,100,000 |
| Media Liability | $350,000 | $600,000 | $850,000 | $1,100,000 | $2,100,000 |
| Social Engineering Fraud Event* | $500,000 | $500,000 | $500,000 | $500,000 | $500,000 |
| Network Interruption and Recovery | $350,000 | $600,000 | $850,000 | $1,100,000 | $2,100,000 |
| Dependent Network Interruption & Recovery (Dependent Business Income) | $350,000 | $600,000 | $850,000 | $1,100,000 | $2,100,000 |
| Reputational Damage | $350,000 | $600,000 | $850,000 | $1,100,000 | $2,100,000 |
*When combined with $250,000 Excess Crime limits.
REQUIREMENTS (Tier Two)
CIS recommends the following cybersecurity risk management practices. Those highlighted are required for Tier Two cyber coverage.
- Multi-factor authentication
- Remote access
- VPN access only
- MFA for access
- Network-level authentication enabled. Remote access into networks by privileged account staff must have MFA to qualify for Tier Two coverage.
- Privileged account access
- Laptops
- Remote access
- Endpoint protection, detection, and response product implemented across enterprise with 24/7/365 response (EDR)
- Backups:
- 1 offsite (geo-diverse). Backups are a requirement for Tier Two
- At least one copy stored offline or in a cloud service designed for this purpose
- Tested at least twice a year
- Protected with antivirus or monitored on a continuous basis
- Encrypted
- Adopt CIS Cybersecurity Policy or similar (CIS provides a sample policy): A cybersecurity policy is required for Tier Two
- Tabletop drill annually
- Password strategy
- Training:
- CIS Learning Center — Cybersecurity Basics (or similar)
- Finance staff training on Fraudulent Instruction
- Testing: (Reflare provides for a fee)
- Semi-annual phishing test (CISA provides for free)
- Annual remote penetration testing (CISA provides for free)
- Critical and high severity patches installed within 30 or fewer days
- Plan or adequate measures in place to protect end-of-life software
- Have at least $250,000 of excess crime insurance for fraudulent instruction coverage. Required for Tier Two.
