Denver lacks a comprehensive program to assess potentially disastrous cybersecurity risks, City Auditor Tim O’Brien said in a new report.

The city’s current approach can best be described as “informal,” O’Brien said, particularly when it comes to oversight of independent city agencies or cultural facilities — like the Denver Art Museum and Denver Zoo — that operate on subnetworks tied into the city’s broader system.

O’Brien cataloged his office’s findings in an audit report released Thursday.

The report is the product of a review of city data, processes and planning efforts over two years — from Jan. 1, 2022, through Dec. 31, 2023.

The audit team found that city staff did not consistently complete quarterly mandatory cybersecurity training. The city also lacks a specific training regime for employees responsible for citywide information technology risk management.

O’Brien is urging Denver Technology Services — the city department tasked with overseeing and managing all physical and virtual technology that touches the city’s network — to overhaul its approach and create clear guidelines for how every wing of city government handles data and technology risks.

“Through awareness of cybersecurity risks and clear expectation-setting for appropriate use of technology, the city can trust its employees to do their part in protecting data and information,” O’Brien said in a statement.

The auditor’s office recommended seven steps that Technology Services should take to remedy Denver’s shortcomings.

Those include:

• Developing a citywide risk assessment process
• Developing risk management training
• Creating information-exchange agreements that would require independent agencies and facilities to share information about high-level technology risks with the department

Sumana Nallapati, Denver’s chief information officer, accepted all seven recommendations in a response letter sent to the auditor’s office on June 7. Mayor Mike Johnston hired her in September.

Many facets of what O’Brien recommends are already underway, Nallapati wrote in her response letter.

“(Technology Services) intends to create a robust and holistic organizational risk management structure identifying roles, responsibilities, documentation, risk assumption, identification of training for necessary roles and escalation processes associated to technical risk,” Nallapati wrote in part.

Her letter acknowledged the administration’s limited power to influence independent city agencies. While Technology Services accepted the recommendation to pursue information exchange agreements, Nallapati wrote that her department plans to reach out to independent agencies to see whether they would be willing to sign memorandums of understanding — or MOUs — focused on risk assessment.

“(Technology Services) cannot commit to a completion date for any such efforts, or that a successful MOU will ever be reached,” she wrote.

The audit report cites officials with Denver County Court as specifically asserting that they have the legal authority to operate independently as the judicial branch of city government. Court officials argue that they should not be required to formally communicate potential cyber security risks to Technology Services, the report says.

“But this assertion of independence with limited collaboration undermines the greater good of protecting the city from costly and damaging cyberattacks…” the audit team wrote.

Denver’s approach leaves the city more vulnerable to equipment failures, service disruptions and cyberattacks, the auditor’s office found. Those risk factors could cost Denver millions of dollars per day if any of them were ever to lead to full city network failure, according to the report.

In a statement to The Denver Post, Nallapati said her department is “committed to working across the city enterprise on continuous improvement of technology risk management strategies.”

Colorado has seen its share of high-profile cyberattacks in recent years.

In 2018, a ransomware attack temporarily knocked the Colorado Department of Transportation’s back-end operations offline. It cost the state between $1 million and $1.5 million just to bring the agency’s functionality back to 80% of normal in the months that followed.

Earlier this year, a cyberattack hobbled the Office of the Colorado State Public Defender and delayed hundreds of court hearings. The agency acknowledged that personal data including clients’ Social Security numbers may have been compromised during that episode.

Stay up-to-date with Colorado Politics by signing up for our weekly newsletter, The Spot.