The Arizona Department of Administration is requesting $22.5 million next year for a cyber risk fund that would help establish a statewide insurance and response for data breaches to state agencies.
In its budget request for the upcoming fiscal year, ADOA stated that many state agencies do not have established protocols to deal with the aftermath of a data breach. The agency is requesting that the money be transferred from it’s existing Risk Management Revolving Fund.
The fund would be run by ADOA’s risk management team and would provide insurance for if – or more likely when – a data breach occurs at a state agency. It also would pay for services that would be needed in the wake of a data breach.
Currently, ADOA risk management has no authority to pay out liability if a breach occurs. And most state agencies do not have a plan in place to respond to breaches, according to the agency’s proposal.
ADOA, the state universities, the Arizona Department of Transportation, the Arizona State Retirement System, the Public Safety Pension Retirement System, the Arizona Medical Board, Arizona Game and Fish and the State Treasury are the only agencies with plans and insurance in place, according to ADOA’s proposal.
This can create a larger problem if a breach is caused because of one agency handing off information to another. For example, if the Department of Economic Security is breached due to a failure related to data being transferred to the agency by ADOA, the lack of insurance for DES could result in ADOA being denied when it seeks insurance, ADOA wrote in the budget request.
Currently, agencies that have coverage have on average $1.3 million in premiums, according to ADOA. The agency thinks those costs could be lowered if the state purchases a single policy from an insurance company that would cover the entirety of state government.
The proposal includes hiring 4 full time staff to work on helping agencies manage and create policies, as well as helping them if a breach occurs.
The largest chunk of the budget request, $20 million, would go toward a deductible for two possible future data breach incidents and would likely result in insurance coverage of $100 million, according to ADOA.
The program will likely take 18 months to get off the ground, and some changes to the law will have to be made to give ADOA’s risk management arm the ability to pay out liability claims.
Arizona has yet to be hit by a major data breach, such as the ones that have hit states like Texas, where 22 municipalities were hit recently with the same ransomware.
However, in 2017, auditors were able to hack into Arizona DES computers with relative ease. And Arizona’s Department of Public Safety was hacked twice by activists during the height of the furor over SB1070.