Not an optional thing these days.
Pending final approval from the legislature, the Texas Department of Transportation plans to spend about $100,000 annually on cybersecurity insurance aimed at repaying the state should it incur expenses related to loss of business or recouping costs related to correcting a cyber attack. To buy the insurance, TxDOT needs some minor language changes to state law. HB 3390 by State Rep. Ed Thompson, R-Pearland, would make those adjustments, clearing the way for the transportation agency to buy a policy.
Thompson’s bill passed the Texas Senate on Wednesday and now goes to Gov. Greg Abbott for his signature.
State Sen. Cesar Blanco, D-El Paso, who sponsored an identical bill in the Senate, said the premium on the insurance would cost TxDOT about $100,000 annually.
The insurance comes about a year after the department was the victim of a ransomware attack on its systems that cost about $10 million to correct and prevent future invaders.
“It was pretty bad,” said State Sen. Robert Nichols, chairman of the Senate Transportation Committee.
A number of state agencies, smaller public entities and major businesses in Texas have faced internet assaults, including school districts, the Houston Rockets, Texas’ court system and Texas Children’s Hospital.
Neither TxDOT nor its insurance company paid a ransom, officials at the time said, but spent weeks working with consultants and companies, such as AT&T, to identify the issue and install new hardware related to stopping infiltrations. James Bass, TxDOT’s executive director, said analysts believe the breach happened when a contract employee clicked a link disguised as coming from an internal source.
[…]
Bass said the need for the insurance at this time is somewhat confusing, since last year’s attack was covered by insurance. To satisfy bond holders, who lent money for the state to build toll roads, TxDOT purchased cyberattack insurance on its tolling systems about a decade ago. At that time, the insurer allowed TxDOT to add all of its operations free of charge.
Now that the state has been attacked, however, Bass said it likely will need separate insurance, which requires the change in law so TxDOT can use state money — not toll revenue — to pay the premium.
TxDOT is an obvious candidate for needing this kind of insurance, since drivers license data is a lucrative target, but surely they’re not the only state agency that would need it. The Department of State Health Services comes to mind, for example. A better question is what are we doing as a state to better protect these agencies and their data from being ransomed in the first place? Putting my professional hat on for a minute, I can tell you this is a big problem, one that requires a significant and evergreen investment to mitigate against it, and a lot of places are woefully ill-equipped for the fight. And as we saw last year, it’s not just DPS and other state agencies we have to worry about, it’s also the firms they do business with. (It’s also not just hackers, but pure human incompetence that can be at fault as well.) I’m sure there’s plenty the Lege could have done this session to improve things, but they had other priorities.