Is it time to buy cyber insurance?

On May 22, 2014, experts confirmed that hackers had accessed a computer server at Montana’s Department of Public Health and Human Services, putting at risk the personal information of 1.3 million people. Department officials responded swiftly, shutting down the server, contacting law enforcement, launching investigations and sending notifications.

In addition to taking these standard steps, the state also filed a claim with its insurers, Beazley Insurance Company and Barbican Insurance Company -- a move that helped ease some of the challenges associated with the hack.

“The state’s cyber insurance program was instrumental in providing an immediate and appropriate response to the incident in accordance with state and federal law(s) with minimal disruption of services to citizens,” Brett Dahl, administrator of the Risk Management and Tort Defense Division at Montana’s Department of Administration, said in an email. “The state’s cyber insurance program provided vital vendor services including incident reporting, forensics investigation, mail notification, credit monitoring, call center assistance and legal expertise.”

Cyber insurance is coverage that public- and private-sector organizations can buy to help manage the costs of cyber incidents -- costs that can be astronomical both in terms of dollar figures and loss of reputation. For example, the Office of Personnel Management has spent at least $133 million just on credit monitoring services. Studies last year of the per-record costs of data breaches ranged from $154 to $964.

Cybersecurity insurance has been available for nearly a decade, but it’s only recently begun to catch on. 

“Now you have like 60, 70 carriers writing policies, you have annual premiums of $2 billion and growing, which is I think big. I think that’s sizable,” Sasha Romanosky, a policy researcher at Rand Corp., said. “That’s not the level of car insurance or health, but it’s still significant.”

The surge led the National Association of Insurance Carriers to establish the Cybersecurity Task Force in 2014. Last year it adopted the “Principles for Effective Cybersecurity Insurance Regulatory Guidance” and the “NAIC Roadmap for Cybersecurity Consumer Protections” to help guide insurers.

In its 2015 survey of state CIOs, the National Association of State CIOs found that about 20 percent of respondents said purchasing cyber insurance policies was part of their cyber plans.

“I would say the number of states pursuing or seriously considering cyber insurance has increased since the release of that survey” in October, Meredith Ward, NASCIO’s senior policy analyst, told GCN.

Montana was the first state to establish a comprehensive cybersecurity insurance program, according to Dahl. The state signed up for cyber insurance in 2010 and pays $94,000 annually for its plan, which covers damages and claims expenses related to the theft, loss and unauthorized disclosure of information; alteration, corruption and deletion of private, non-public information caused by malicious code and/or service denial failure; or unauthorized sharing and unauthorized selling of private, non-public information. It also covers costs associated with breach notifications, investigations, credit monitoring and legal fees. The plan has a limit of $2 million per occurrence.

The coverage applies only to state-owned data, not devices, Dahl noted in the email.

Although the return on investment is tough to measure from year to year, Dahl said the amount the state spent between 2010 and 2014 was $159,000, which saved the state $2 million, putting the ROI for the first three years of the program at 1,258 percent.

Some insurers require agencies to have certain security measures in place before they will provide coverage. Montana didn’t have to make any changes to get coverage, but the state must show it’s taking actions to reduce risk each year, Dahl wrote. “At policy renewal, the state CISO must complete a cyber insurance application explaining what loss prevention measures/policies are in place vis-à-vis encryption, mobile device management, etc.,” he added. “We are continually working to improve the security processes. These measures are taken into account by the insurance carrier when determining the insurance premium.”

Fairfax County’s peace of mind

Money was on the minds of officials in Fairfax County, Va., when the self-insured county added cyber coverage about three years ago to help with forensics costs in the event of a breach, said Michael Dent, the county's chief information security officer.

“Cyber insurance was something that was on our radar as something we would need,” Dent said. “If we had a major breach, we would need financial help.”

To get coverage, county officials underwent a lengthy assessment process to ensure security standards were being met. They spent several months answering a questionnaire covering security basics, such as encryption and firewalls -- “everything you would expect to have in a security program on an enterprise,” Dent said.

So far, the county has not had to file any cyber insurance claims, Dent said. The county’s Risk Management Division ultimately decides whether any breach is significant enough to warrant a claim, he added.

“It’s an insurance policy that hopefully -- if we do our due diligence and we do what we’re supposed to do to protect the data -- it’s something I never have to use,” Dent said. “Just like when you’re driving a car, you hope you’re never in a wreck, but if you are, you hope have that insurance there to help you.”

Lessons learned in Georgia

The state of Georgia is shopping for cyber insurance now. Because it self-insures for many things, one of the first conversations that Steve Nichols, the state’s CTO, had with the risk management division leading the effort was about whether it made sense to spend more on security controls, as opposed to insurance -- a move he likened to adding locks to a house.

But the more he thought about it, the more he realized the insurance wouldn’t be used for something “like a house break-in. This is like the house catches fire and burns down…something really catastrophic,” Nichols said. “As we started to look at worst-case scenarios, we thought, ‘There’s probably some situations here that could go beyond our ability to self-insure.’”

But he’s not exactly putting together a wish list of coverage options. Because the policy will cover all state agencies, it has to consider all of their risk profiles as a single package. The state’s insurance broker, Marsh, is helping evaluate the requirements of the agencies, Nichols said.  “You’re really trying to package up a portfolio, and there’s going to be different risks,” he said.

One part of the process that surprised Calvin Rhodes, Georgia’s CIO and executive director of the Georgia Technology Authority, is that the information the state provides in its insurance application about its existing cybersecurity controls isn’t vetted until an incident occurs.

“The burden is on you to make sure that what you’re providing is correct,” he said. “If you need to use that policy in the future, they’re going to validate if what you told them [in the application] is correct or not,” Rhodes said.

It’s the “cyber insurance equivalent of photographing everything in your home before you have the break-in,” Nichols added.

Additionally, Georgia has found that no single underwriter is willing to take on more than about $10 million worth of coverage. As a result, the state isn’t selecting a single underwriter but rather a consortium that divides responsibility.

What’s more, the cyber insurance search has proved beneficial to the state’s overall cybersecurity efforts, Rhodes said.  Getting the agencies “more involved has created a greater focus on cyber and what we need to be doing to mitigate risk,” he said.

Cyber insurance: Looking ahead

Like most things in IT, cyber insurance has both pros and cons. The pros include financial protection for agencies in the event of a cyber incident. Additionally, applying for insurance gives entities an opportunity to assess and amend their current cybersecurity postures.

“There’s an opportunity by the insurance industry to drive policy,” Romanosky said. “They have an advantage over government mandates or regulations or even the legal system to induce companies to invest more in security.” Insurers that promise lower premiums to agencies that adopt specific controls, creates a huge incentive, he said.

One obvious downside to cyber insurance is cost. A 2013 Ponemon study found that 52 percent of respondents said their top reason for not buying cyber insurance was that premiums are too expensive. Expensive policies risk making insurance available only to the agencies with the biggest budgets, whereas it should be feasible for any, Romanosky said.

Another con, according to some critics, is that insurance can make agencies lax about cybersecurity.

“I think I’m going to suffer a loss, so I can either invest in cybersecurity to prevent that loss or I could just buy insurance to cover that loss should it happen,” Romanosky said. “Sometimes that’s a good tradeoff, but sometimes it’s not because it might induce reckless behavior.”

For Georgia’s Nichols, cyber insurance will be nice to have, but it’s not a silver bullet.

“Cyber insurance is just one tool in the toolbox. You don’t want it to be the tail wagging the dog,” Nichols said.