Outdated Cybersecurity Policies at National Insurance Highlighted by State Comptroller’s Report

Recent revelations from State Comptroller Thomas P. DiNapoli’s report bring to light significant flaws in the cybersecurity policies of the National Insurance sector, highlighting a pressing need for reform amid a sharp rise in cyber threats across New York State.

Short Summary:

• Cyberattack incidents surged by 53% in New York from 2016 to 2022.
• Healthcare and Financial Services are the two most targeted sectors for cyberattacks.
• The report emphasizes the urgent need for comprehensive cybersecurity measures and centralized incident reporting.

The threat landscape for cybersecurity within New York State is becoming increasingly alarming, with complaints of cyberattacks soaring by 53% from 2016 to 2022, as evidenced by data from the Federal Bureau of Investigation (FBI). The number of cyber incidents escalated from 16,426 in 2016 to a staggering 25,112 incidents reported in 2022. This uptick is not merely a statistical anomaly; it reflects a genuine risk that demands immediate attention—particularly from sectors like National Insurance that handle sensitive personal data.

In a critical assessment released today, State Comptroller Thomas P. DiNapoli highlighted these issues, noting that New York has also seen a dramatic increase in attacks targeting essential infrastructure, with ransomware attacks more than doubling in the first half of 2023 compared to 2022. These figures underscore a dire need for effective cybersecurity frameworks in sectors vulnerable to such attacks.

“Cyberattacks are a serious threat to New York’s critical infrastructure, economy and our everyday lives,” emphasized DiNapoli. “Data breaches at companies and institutions that collect large amounts of personal information expose New Yorkers to potential invasions of privacy, identity theft, and fraud.”

The economic toll from cyberattacks has also skyrocketed, with estimated losses exceeding $775 million for New York in 2022. Nationally, these losses amounted to a staggering $10.3 billion. As New York ranks high in terms of ransomware and data breaches, trailing only California and Texas, local institutions are finding themselves at the forefront of this escalating crisis.

Assessment of Vulnerabilities

According to the report, the most frequently targeted sectors in New York were Healthcare and Financial Services, with nine and eight reported ransomware attacks respectively. These areas are particularly susceptible due to the sensitive nature of the data they hold, further emphasizing the need for robust cybersecurity policies.

DiNapoli’s audits across state agencies revealed a disturbing trend of common technical vulnerabilities, including:

• A pervasive misunderstanding of security risks among entities.
• Reliance on unsupported applications, making them more susceptible to attacks.
• Non-existent or poorly enforced access controls.
• Lack of consistent monitoring of system changes.

This dangerous combination of vulnerabilities places essential public services at risk, calling for immediate rectification measures.

Efforts Toward Improvement

In response to this growing crisis, Governor Kathy Hochul took decisive action by appointing a state chief cyber officer tasked with coordinating statewide cybersecurity initiatives. This position oversees the Joint Security Operations Center, aimed at creating a fortified network of information sharing and incident response that includes critical infrastructure stakeholders and federal partners.

“The challenges posed by an ever-evolving cyber threat landscape require a collaborative approach, investment, and continuous vigilance,” remarked Governor Hochul. “Our cyber chief will play a pivotal role in enhancing protections across the state.”

As part of the effort, New York has unveiled its first comprehensive statewide cybersecurity strategy, which is expected to attract much-needed federal funding to bolster these initiatives. This strategy will facilitate the establishment of a standardized reporting framework for cyber incidents across critical infrastructure sectors, allowing for more effective threat detection and mitigation.

Cyber Incident Reporting Developments

The state’s push toward establishing a central repository for data breach reports is also a vital component in preemptively countering cyber threats. This repository aims to help identify new vulnerabilities faster and coordinate responses proactively, thereby addressing the challenges posed by rapid technological advances in cyber warfare.

In alignment with newly enforced regulations through the Cyber Incident Reporting for Critical Infrastructure Act, organizations may soon be mandated to report cyber incidents promptly. This legislation seeks to standardize the reporting process and improve collective response capabilities across federal and state entities.

The significance of comprehensive reporting mechanisms cannot be overstated. For instance, local governments and school districts have experienced repeated cyberattack incidents, signaling a critical awareness gap regarding cybersecurity best practices.

Local Government and School Systems Challenges

DiNapoli’s exploration into cybersecurity challenges for local governments and educational institutions brought to light a series of alarming incidences. Counties such as Albany and Suffolk, along with school districts across the state, have fallen victim to debilitating ransomware attacks. A notable incident in 2019 saw the Syracuse City School District paralyzed by a ransomware assault that halted its website, email systems, and essential operations like payroll and student management.

The Suffolk County incident in September 2022 serves as another cautionary tale, illustrating how such attacks can force organizations to revert crucial operations back to simple procedures. The cascading effects of cyber breaches on day-to-day operations can cripple the functionality of local governments and hinder educational institutions’ capability to serve students effectively.

“The ramifications of these cyberattacks underscore the necessity for immediate reforms in our cybersecurity infrastructure,” DiNapoli noted. “Local entities must prioritize cybersecurity training and create comprehensive contingency plans to protect their operations.”

From 2019 until July 2023, the Office of Local Government and School Accountability has conducted over 190 information technology (IT) audits, uncovering more than 2,400 cybersecurity vulnerabilities. Audit results have often signaled critical breakdowns in fundamental cybersecurity practices, necessitating a push towards better governance and robust security measures.

Building a Security Culture

To stave off these threats, local governments and school districts must cultivate a security-conscious culture by increasing awareness and providing thorough training on cybersecurity practices. The recommendations provided in DiNapoli’s report aim to empower organizations to implement changes that can be executed globally but tailored to local contexts.

Common recommendations include:

• Invoking routine security awareness training programs.
• Establishing comprehensive cybersecurity policies and best practice guidelines.
• Creating contingency plans to ensure operational resilience.

Given the sensitivity and scale of the data processed by local entities, these changes are not merely advisable but imperative to safeguarding public and private information alike.

The Path Forward

The findings from this extensive report are a wake-up call. As cyberattacks continue to escalate across various sectors, it is evident that pointed action is required to avail New York’s infrastructure and organizations of much more significant cybersecurity defenses.

The collaborative efforts led by the state cyber chief, combined with the advancement of a robust incident reporting system, can forge a path toward a more resilient cybersecurity framework for New York. Enhanced training and public education initiatives can also empower citizens and organizations alike to recognize and respond to emerging cyber threats.

“Vigilance against cyber threats is not the responsibility of government alone; it is an obligation we all share,” concluded DiNapoli. “Everyone must take a proactive role in creating a secure environment.”

As the landscape continues to shift with growing complexities and evolving cyber threats, New York’s path forward will depend on sustained commitment across all sectors to fortify defenses, ensuring that the state’s vital services and consumer data remain protected robustly.

This comprehensive approach can be a model for other states grappling with similar cybersecurity vulnerabilities, establishing a template for problem-solving in the face of an increasingly digital future. Proactive investment, continuous enhancements, and a collective drive toward greater security awareness can fortify all levels of society against the persistent threats posed by cybercriminals.

As New York positions itself for a secure digital environment, it stands to serve as a leading example for coordinated efforts against the rising tide of cybercrime. Staying informed about emerging threats and investing in resilient infrastructure will pave the way toward a safer cyber landscape for all.