Many of New Mexico’s ransomware defenses are built from the ground up. With 33 counties spread across the fifth-largest state in the country, local governments are major players in the state’s collective cybersecurity.
Taylor Horst, Risk Director for New Mexico Counties (NMC), a nonprofit association that serves every county statewide, said ransomware is a daunting obstacle for state and local agencies such as New Mexico’s.
During an interview with GovLoop, Horst explains what he has learned about ransomware working in New Mexico.
This interview has been lightly edited for clarity and length.
GOVLOOP: How does cybersecurity insurance help protect agencies from ransomware?
HORST: One of the coverages available in cyber liability policies is called “bricking coverage,” and it’s called “bricking” because once your computer’s been encrypted, it’s as useless as a brick. So, there are some property damage coverages available in different policies to basically take your computers, go put them in the dumpster and buy new ones, vs. trying to unsnarl the ransomware.
From an insurance perspective, it’s an interesting coverage. That’s because it includes first-party coverage, third-party coverage and typically some compliance coverage. There’s starting to be bodily injury coverage in there too, which is a part of third-party coverage. But it’s the only insurance product that has all these coverages in one package.
And it is a young product. I don’t think the insurance carriers fully understand the risks that they are trying to underwrite with it. Basically, they’re collecting five-figure premiums for this coverage and paying out six- and seven-figure ransoms. That’s not going to go on very long before they sublimit the coverage for ransomware events, the premiums go up dramatically or both.
How does ransomware affect an agency’s budget, its workforces and the citizens it serves?
There can be many impacts. With the cyber liability policy that we have in place here, there’s a $25,000 self-retention. So, there’s the impact of any claim. And there’s a lot of costs in employee time because the IT people work all weekend long – you have some disruption because of that. If there isn’t a quick resolution, then there are other departments that can’t operate.
I’m thinking first, though, about the public-facing services. Depending on how sophisticated the county is, there’s probably a system in place that they use to help them manage their public works efforts. It is snow removal, road repair and things like that. So, there are all these services that county governments provide that can’t be avoided. They must keep the roads clean. It varies by county, but some counties, for example, are responsible for trash pickup.
What’s the main takeaway that people should have after learning about ransomware?
The main takeaway is you just can’t be too careful. Another major point is isolating your actions. You can either isolate your network or the actions that you take on a computer. Don’t be using Facebook in one tab on your browser, and then be using business systems on the other tab in your browser. Isolate what you’re doing to try and cut it into smaller pieces.
Ransomware is not unlike COVID-19. With COVID-19, there’s people traveling all over the world now all the time. We’ve just got all this social interaction. And COVID-19 and ransomware are some of the bad results from us having all this social interaction.
I think we’re going to have to learn how to have faith in social interaction. Right now, we call it social distancing. I don’t know what the computer equivalent of social distancing is, but it might help with the ransomware.