Dedicated to ensuring CIS members have access to cyber coverage.

CIS Cyber Program 

Oregon public entities continue to suffer through cyberattacks. Because the cyber insurance market has struggled, CIS has made changes to our cyber program.
 
Beginning July 1, 2022, cyber liability coverage will be under the property-line umbrella, rather than liability — and will give members three-tiered choices for coverage. 
 
Options Description

Tier One

$50,000 in coverage; no application required

Tier Two

$200,000 additional coverage; application required, assessment recommended

Tier Three

Excess Cyber over $250,000; application required
 

Contributions for Tier One and Tier Two are based on the member’s Materials and Services Budget: 

Materials & Services Budget   
$50k Limit (Tier One)   
$200k Limit (Tier Two)
$0 - $500K $650 $500
$500K - $1M $800 $650
$1M - $2M $1,200 $850
$2M - $5M $2,300 $1,100
$5M - $15M $3,600 $1,500
$15M - $30M $5,500 $2,100
$30M+ $7,500 $3,000
 

 

 

 

Tier One:

  • $50,000 of cyber liability coverage
  • Members must have CIS property coverage
  • Members will be charged for this coverage
  • Encourage cybersecurity best practices
  • Offer grants for cybersecurity testing 
  • Members should adopt a Cybersecurity Policy
  • Members are not required to complete the application to purchase the Tier One limit
  • This is optional coverage for members
  • A pool aggregate of $5 million applies 

Tier Two:

  • $250,000 ($200,000 excess of $50,000) of cyber liability coverage
  • Members must have CIS property coverage
  • Members will provide an additional contribution
  • An application is required*
  • This is optional coverage for members
  • A pool aggregate of $5 million applies 
  • Certain cybersecurity risk management practices MUST be in place to qualify for this higher limit of coverage. Additional cybersecurity risk management practices are strongly recommended

Tier Three:

  • Members must have CIS property coverage
  • The Tier Two application is required*
  • This is a fully insured, excess cyber above $250,000 from a commercial insurance company  
  • Premiums are established by the insurance company and passed onto members
  • Limits and premium will be what the commercial insurance market provides
  • Cybersecurity requirements are the same as Tier Two

Contributions for Tier Three are based on the member’s population and limit selected:

REQUIREMENTS (Tiers Two/Three)

CIS recommends the following cybersecurity risk management practices.  Those highlighted are required for Tier Two and Tier Three cyber coverage. 
 
  1. Undergo optional “Discovery Assessment.” The discovery assessment is completed by an independent IT vendor to verify the following cybersecurity measures are in place. The cost will be $500 paid by the member and arranged by CIS Underwriting.
  2. Multi-factor authentication
    • Remote access
      • VPN access only 
      • MFA for access
      • Network-level authentication enabled.  Remote access into networks by privileged account staff must have MFA to qualify for Tier Two and Tier Three coverage.
      • Privileged account access
    • Laptops 
    • Email
  3. Endpoint protection, detection, and response product implemented across enterprise with 24/7/365 response (EDR)
  4. Backups:
    • 3 copies; 2 offsite (geo-diverse), 1 onsite (source). Backups are a requirement for Tier Two and Tier Three 
    • At least one copy stored offline or in a cloud service designed for this purpose 
    • Tested at least twice a year
    • Protected with antivirus or monitored on a continuous basis 
    • Encrypted
  5. Adopt CIS Cybersecurity Policy or similar (CIS provides a sample policy):  A cybersecurity policy is required for Tier Two and Tier Three
    • Tabletop drill annually (completed during 2022 year)
    • Password strategy
  6. Training:
    • CIS Learning Center — Cybersecurity Basics (or similar)
    • Finance staff training on Fraudulent Instruction
  7. Testing: (Reflare provides for a fee)
    • Semi-annual phishing test (CISA provides for free)
    • Annual remote penetration testing (CISA provides for free)
  8. Critical and high severity patches installed within 30 or fewer days
  9. Plan or adequate measures in place to protect end-of-life software
  10. Have at least $250,000 of excess crime insurance for fraudulent instruction coverage. Required for Tier Two and Tier Three.