Navigating Cybersecurity Compliance and Insurance for Government Agencies 

• By: Michael Smith, Managing Director, CIO & Security Officer

The cybersecurity landscape and the identification of security gaps continues to evolve as they become an increasing priority for government agencies. Modern hackers have advanced their skills dramatically in recent years, and in turn, agencies at the local, state and federal levels need to understand key risks, regulations and compliance and the role of cybersecurity insurance in case of a data breach or cyberattack. 

With the potential for financial loss, interruption of operations, or reputational damage, agencies of all sizes should be aware of the inherent risks and work to prepare and understand next steps if a cyberattack or breach occurs. 

Potential Risks of Cyber Attacks for Data and Infrastructure 

Given the interconnectivity of critical infrastructure systems in the country, safeguarding against the threat to local, state and national data, security and health should be of upmost importance. Understanding infrastructure and data risks is a key first step in creating the correct safeguards, processes and responses. 

Per the Department of Homeland Security, main risks include loss of data and information across sectors and agencies, which include but are not limited to critical manufacturing areas such as energy, nuclear power, water, and aviation. Risks can also include cyberattacks on electrical grids, as well as ransomware attacks via emails or phishing, supply chain threats, and attacks or breaches of key infrastructure, such as internet-service providers. Attacks on government agencies or infrastructures can result in the loss of key data and connectivity, and harm an agency’s reputation and erode public trust. 

Understanding Key Regulations to Follow 

Two sets of guidelines that are key regulations for government agencies to adhere to include the Federal Information Security Modernization Act (FISMA), which sets the legal requirements for annual compliance, and the National Institute of Standards and Technology (NIST), the government body which works to develop standards and policies for agencies to utilize when making certain their systems, applications and networks meet required guidelines and remain secure. 

Under the FISMA guidelines, agencies must: 

• Perform system risk categorization – Following a review of risk levels, information systems must be categorized to ensure that high value asset (HVA) systems are provided with the highest level of security.

• Meet baseline security controls and document controls in security plan – All federal systems should adhere to strict FISMA guidelines and security requirements. FISMA is wide-ranging in its guidelines, and government agencies should be aware of which guidelines apply to their systems and/or functions. It is also important to note that documenting controls should be included in a System Security and Privacy Plan (SSPP), which is a required deliverable when receiving an Authorization to Operate (ATO) for the FISMA system.

• Perform a risk assessment and conduct routine security reviews – An important step following categorization of risk is an assessment of overall system risk. These assessments of cybersecurity controls should take place regularly. These, and annual security reviews, are required for FISMA certification.

• Continuously monitor accredited systems – Ensure consistent monitorization is in place to identify weaknesses of any kind to systems and/or infrastructure, thereby maximizing an agency’s ability to respond to breaches or cyberattacks. 

Finally, agencies should continually update themselves on any new guidelines or standards released by NIST to ensure they are meeting standards for cybersecurity protection, safety and preparedness. 

Ensuring Compliance and Avoiding Penalties 

As noted, ensuring compliance and avoiding penalties can be accomplished by adhering to FISMA and NIST guidelines, which include continuous oversight and monitoring. As part of these efforts, agencies should perform regular audits of their cybersecurity controls, systems and infrastructure to identify weaknesses and maximize an agency’s ability to respond to a cyberattack or data breach. 

As part of preparations, agencies should be aware of steps needing to be taken if an incident were to occur, and response planning should be practiced routinely. As part of an incident response plan, an agency should create a policy to classify what entails a cybersecurity incident, who would be responsible for responding, roles and responsibilities across the agency, and what is necessary for required documentation and reporting. More broadly, an incident response plan can maximize an agency’s ability to understand its abilities to respond to an attack, specifically in terms of measuring capabilities and effectiveness of response. 

For more information, agencies should consult NIST, which emphasizes key objectives, including the minimization of the overall impact of a cyber incident, and the facilitation of the recovery of operations. In addition, the Cybersecurity and Infrastructure Security Agency (CISA) defines four key elements in an incident response lifecycle. These elements include: Preparation and Planning; Detection and Analysis; Containment, Eradication and Recovery; and Post-Incident Activities. 

Role of Cybersecurity Insurance in Mitigating Financial Risks 

Though local, state and federal government agencies have robust data and infrastructure protection, as well as mitigation plans in place, there will be instances in which an attack has occurred, and cybersecurity insurance will be crucial to mitigate financial risks and protect against losses. This type of insurance is most useful in offsetting costs from common cyber risks, but additionally, teams such as Sedgwick’s are able to provide comprehensive support, which prioritizes response, mitigation of risk, as well as reputation management and ensuring public trust continues. 

The direct and indirect costs of cyberattack attacks and data breaches can include expenses such as data recovery and restoration, governmental operation interruption costs, cyber extortion costs, crisis management and more. The ideal claims team will support exposure and coverage interpretation, claims adjustments, as well as provide proper legal experts and support. In conclusion, it’s crucial to have a cybersecurity claims team at the ready who understands this swiftly changing market and is consistently growing and updating its knowledge base on new policies, guidelines, standards and other key topics.