After this year’s major breach of state Fish and Game data held by a vendor, the state of Idaho has decided to purchase a $25 million cybersecurity insurance policy, the Legislative Council heard this morning. The policy, with an annual premium of roughly $570,000 and a $1 million deductible per incident, will start in December.
Cathy Holland-Smith, legislative budget director, said the cost in remainder of the current fiscal year, $330,000, will be covered by the existing budgets, but the state Department of Administration will have a request for the full $570,000 in its budget request for next year.
Bob Geddes, department director, said the premium for the current year will come from the existing state risk management fund, which has enough to cover it. But if there were a breach during the current fiscal year, a supplemental budget request likely would be needed to cover the $1 million deductible. Geddes said his department coordinated with a state cybersecurity task force and state agencies on the plan to get the insurance policy; all agencies have been supportive.
Lawmakers quizzed Holland-Smith about what the policy would have provided had it been in effect during the Fish and Game hack. “That was a private contractor who manages that, so we did not accept the risk personally for the state,” she said. But the vendor has incurred roughly $5 million in costs, between several states that were affected. “The costs can be, they can be really large,” she said. “Some of the banks that have been hacked have had to accept costs of about $100 million for an incident. So it really depends on what kind of information gets breached.”
Geddes said the insurance policy also will help the state with situations in which private contractors are involved, covering forensic and information technology costs to verify a breach and identify the contractor’s responsibilities.
Rep. John Rusche, D-Lewiston, said, “I serve on the Your Health Idaho board and we have a concern about cybersecurity as well. We have insurance to cover the cost of investigation, notification, a first class letter to everybody that may have been affected, ongoing credit monitoring for anyone who could’ve been affected for a year, maybe two. And then the changes in business practices ... to mitigate” the effects of a breach. “So I think $25 million is a minimal amount for as many lives as the state of Idaho touches, through employees, contracts, beneficiaries, whatever.”
Holland-Smith said the Department of Administration’s budget request for the insurance premium next year will spread the cost throughout all of state government.