Issue 140 - October 2023
RISK SOLUTIONS
California JPIA Pilots and Launches New Resources During Cybersecurity Awareness Month
Since 2004, the President of the United States and U.S. Congress have acclaimed October as Cybersecurity Awareness Month, when the public and private sectors collaborate to raise awareness about the importance of protecting systems, networks, and programs from digital attacks. This month and throughout the year, cybersecurity remains top-of-mind for many public agencies as incidents trend upward in frequency and complexity.
“California local governments have become a major target for cyberattacks,” said Senior Risk Manager Alex Mellor. “This increase, as well as other factors, has caused the commercial cyber insurance market to harden; fewer insurers are willing to write cyber coverage, and those remaining in the market are more selective. The Authority’s priorities are twofold: to help members effectively manage cyber risk and to ensure the pool continues to be insurable by promoting good cybersecurity hygiene amongst the membership.”
The California JPIA currently holds pool-wide coverage for first- and third-party cyber losses through Great American Insurance Company, offering members two critical resources. The Eagle Eye cyber risk management platform includes a checklist to help avoid common security errors, an external website assessment tool, and a cybersecurity progress tracker. The E-Risk Hub, which members can access through cjpia.org, offers a repository of trainings, articles, and cybersecurity news.
Building on these resources—and rooted in a rise of member interest—the California JPIA has partnered with KnowBe4, a cybersecurity awareness and simulated phishing service provider.
KnowBe4 strengthens cybersecurity culture and reduces human risk through a simulated phishing platform that helps organizations raise awareness about ransomware, fraud, and other social engineering tactics.
“KnowBe4 helps members stress-test their human firewall through custom, simulated phishing emails,” said Mellor. “This allows them to identify susceptible employees and provide immediate training.”
The Authority has negotiated preferred pricing with KnowBe4 for members new to the program. Learn more about the KnowBe4 service and sign up here.
The Authority has also partnered with Triden Group, a cybersecurity solutions and services company, to provide cyber assessments to members. These services are currently being piloted with a small group of agencies and, assuming the pilot is successful, will be offered to the broader membership sometime in 2024. The Authority will fully fund cyber assessments.
The scope of work for each assessment includes the following elements:
- The National Institute of Standards and Technology (NIST) Questionnaire is an interview-style survey that evaluates whether or not cyber security controls are implemented correctly, operating as intended, and producing the desired outcome concerning meeting the security and privacy requirements for the system and the organization.
- An External Vulnerability Assessment identifies and evaluates security vulnerabilities in an organization’s external-facing systems and networks. This includes systems and networks that are accessible to the public, such as web servers and email servers.
- An Internal Vulnerability Assessment identifies and evaluates security vulnerabilities in an organization’s internal systems and networks. This includes systems and networks that are not accessible to the public, such as servers, workstations, and databases.
After completing the assessment, members will receive a findings report and a roadmap for improvement. The Authority has also executed a master services agreement with Triden Group, which allows members to take advantage of preferred pricing should they decide to engage Triden to remediate deficiencies identified during the assessment.
“Members are strongly encouraged to take advantage of these tools to improve cybersecurity practices,” said Mellor. “Doing so will reduce the likelihood that the member will be victimized by cyber criminals and strengthen the Authority’s ability to continue to obtain pool-wide cyber liability coverage in the future.”
Members wishing to learn more about the above resources should contact their regional risk manager.
< Back to Full Issue Print Article