State CISOs Sound The Alarm: What The 2026 NASCIO-Deloitte Study Means For Government Cyber Risk Insurance

by

Estimated reading time: 7 minutes

The people responsible for protecting America’s state government data are losing confidence fast. That is the headline finding of the 2026 NASCIO-Deloitte Cybersecurity Study, the ninth edition of the biennial survey of state chief information security officers (CISOs) in the country. All 50 states, the District of Columbia, and the US Virgin Islands responded. The results are worth reading carefully for every underwriter pricing government cyber risk insurance.

Confidence Has Collapsed

In 2022, 48% of state CISOs said they were “extremely” or “very confident” in protecting state information assets. By 2026, that number dropped to 22%. Those who said they were “not very confident” increased from 13% to 20%. Confidence in local government and public higher education is even lower: now, 63% of CISOs say they are “not very confident” in those groups’ cyber abilities, up from 35% in 2022. No state CISO reported being “very confident” in local governments’ cyber practices.

This is important for underwriters because local governments are not separate risks. State benefit systems regularly run at the county level, and shared data and credentials mean a ransomware attack on one city can spread to state systems. What affects the whole state also affects the entire insurance portfolio.

The Budget Picture Is Getting Worse

State cybersecurity budgets are falling behind as responsibilities grow. In 2026, only 22% of CISOs saw budget increases of 6% or more, compared to 40% in 2024. Even more worrying, 16% reported budget cuts, while no states reported cuts in 2024. Three states had reductions of more than 5%. The report points to reasons like expiring federal relief funds, less support from CISA and MS-ISAC, and general budget pressures. The trend is clearly negative.

For carriers and brokers focused on government cyber risk insurance, tightening budgets translates directly to deferred patching, understaffed SOCs, and delayed security control upgrades. The report found that legacy infrastructure is now the top barrier to addressing cybersecurity challenges, cited by 65% of CISOs, up from 52% in 2022. Insufficient funding came in third at 59%. These are not soft concerns. They are underwriting signals.

Watch Our Podcast On CISO Leadership – It Demands Something New

The Talent Gap Is Real And Getting Harder To Close

Only 22% of CISOs say their cybersecurity staff have the required competencies to handle existing and foreseeable challenges, down from 47% in 2024. Eight of 51 CISOs reported “significant gaps in competencies.” States are adjusting by eliminating four-year degree requirements (up from 6% in 2024 to 20% in 2026) and investing more heavily in training and certification. But structural under-staffing driven by budget constraints means that even willing teams are spread thin. The CISO incident response readiness gap documented elsewhere in the market is visible in these numbers. When staff can’t keep pace, dwell times lengthen and claims costs rise.

See also  NetDiligence Cyber Claims Study - The Rising Tide of Cyber Risks

Third-Party Risk Is The Fastest-Growing Concern

The biggest growing concern in the survey is third-party security breaches, which rose from 44% in 2022 to 73% in 2024 and 78% in 2026. This shows a real change in how attacks reach state systems. Hackers are now targeting contractors, service providers, and business partners instead of just state agencies. States are also outsourcing more cybersecurity work: 65% now outsource incident response, up from 27% in 2022, and 75% outsource forensics and legal support. Relying on third parties for key security tasks increases the risk flagged as the top emerging threat.

This corresponds directly with what third-party risk surveys in the private sector have found: the vendor perimeter is where attacks increasingly begin and where coverage gaps most often appear.

AI Is Both The Problem And The Attempted Solution

The report confirms that AI is changing the threat environment for state governments at a pace that governance structures cannot match. CISOs describe vendors embedding AI features into existing platforms without adequate notice, creating new risk surfaces before risk assessments can be completed. AI ransomware-as-a-service marketplaces, AI-generated deepfakes, and autonomous agents that probe for weaknesses are all cited as active concerns. One CISO sums it up plainly: AI is “accelerating both the sophistication and volume of cyber threats.”

At the same time, 94% of CISOs are actively involved in GenAI security policy development, and nearly all states are either using or planning to use GenAI to improve cybersecurity operations. The AI governance challenge facing CISOs is that attack and defense are evolving in parallel, and under-resourced teams are trying to manage both. That is a claims environment, not just a risk management challenge. Underwriters writing AI-related cyber coverage for government entities should treat these conclusions as baseline threat intelligence.

See also  Cyber Risk Alert: Key Takeaways From AXIS’s CEO vs CISO AI Survey

The Whole-Of-State Problem Creates Accumulation Risk

Roughly one-fifth of CISOs report their states are moving toward a whole-of-state cybersecurity model extending state-level protection to local governments, K-12 schools, and critical infrastructure. The concept is sound, but adoption is uneven and funding-dependent. States that centralize security operations also centralize cyber risk. A successful attack on a state SOC providing services to dozens of municipalities creates concentrated loss potential that portfolio managers and reinsurers need to model carefully.

The boardroom-level accountability that now accompanies the expanded CISO role adds another dimension. Every CISO surveyed now offers strategy, governance, and risk management services to state agencies, up from 81% in 2022. The CISO is no longer a technical function. The CISO is a risk management function. That shift carries direct implications for how government cyber leadership navigates adaptive change in the face of tightening budgets and expanding attack surfaces.

Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!

The Bottom Line For Underwriters And Brokers

The 2026 NASCIO-Deloitte study is one of the most underwriting-relevant documents published in the government cyber risk space this cycle. The confidence collapse, the budget deterioration, the third-party dependency, the AI governance lag, and the whole-of-state accumulation question all point in the same direction: state and local government entities are carrying more cyber risk today than their security posture can absorb. Carriers and brokers who price and structure government cyber risk insurance without reference to this data are working without a map.

FAQ 2026 NASCIO-Deloitte Cybersecurity Study

What is the 2026 NASCIO-Deloitte Cybersecurity Study?

It is the ninth edition of a biennial survey conducted jointly by NASCIO and Deloitte, covering responses from the CISOs of all 50 states, the District of Columbia, and the US Virgin Islands. The survey tracks cybersecurity strategy, threats, budgets, and workforce across state government.

What does the budget data mean for government cyber risk insurance pricing?

Tighter budgets mean deferred patching, legacy infrastructure, understaffed teams, and slower incident response. These are underwriting risk factors. The 2026 survey shows 16% of states reporting actual budget reductions, compared with zero in 2024. That is a meaningful shift in the risk environment.

What is the whole-of-state cybersecurity model, and why does it matter for accumulation risk?

Whole-of-state is a model where state-level security resources extend to local governments, schools, and critical infrastructure. Where it centralizes security operations, it also centralizes cyber risk. A single event affecting a state SOC that services many municipalities creates correlated loss potential across what might otherwise appear to be separate insured entities.

How does third-party risk show up in the government cyber context?

State governments rely heavily on contractors and service providers, and 78% of CISOs now cite third-party breaches as a top threat, up from 44% in 2022. At the same time, states are outsourcing more cybersecurity functions, including incident response. Vendor chain exposure is therefore both a threat vector and a dependency risk simultaneously.

What should brokers ask government clients following this report?

Brokers should ask about budget trends, legacy infrastructure ratios, SOC coverage arrangements, third-party vendor assessments, and whether the entity falls under a whole-of-state program or operates independently. The answers will materially affect coverage adequacy, retention levels, and renewal positioning.

Martin Hinton

Martin Hinton is the Executive Editor and Publisher of Cyber Insurance News and Information. With over three decades of journalism experience across six continents, his work encompasses investigative reporting, documentaries, and coverage of cultural, political, and business news. To learn more about his career, click on his name to visit his LinkedIn page.

Leave a Comment

×