Is it time to buy cyber insurance?

 

Connecting state and local government leaders

Cybersecurity insurance not only helps agencies manage the costs of recovering from a breach, it can also foster better security practices.

On May 22, 2014, experts confirmed that hackers had accessed a computer server at Montana’s Department of Public Health and Human Services, putting at risk the personal information of 1.3 million people. Department officials responded swiftly, shutting down the server, contacting law enforcement, launching investigations and sending notifications.

In addition to taking these standard steps, the state also filed a claim with its insurers, Beazley Insurance Company and Barbican Insurance Company -- a move that helped ease some of the challenges associated with the hack.

“The state’s cyber insurance program was instrumental in providing an immediate and appropriate response to the incident in accordance with state and federal law(s) with minimal disruption of services to citizens,” Brett Dahl, administrator of the Risk Management and Tort Defense Division at Montana’s Department of Administration, said in an email. “The state’s cyber insurance program provided vital vendor services including incident reporting, forensics investigation, mail notification, credit monitoring, call center assistance and legal expertise.”

Cyber insurance is coverage that public- and private-sector organizations can buy to help manage the costs of cyber incidents -- costs that can be astronomical both in terms of dollar figures and loss of reputation. For example, the Office of Personnel Management has spent at least $133 million just on credit monitoring services. Studies last year of the per-record costs of data breaches ranged from $154 to $964.

Cybersecurity insurance has been available for nearly a decade, but it’s only recently begun to catch on. 

“Now you have like 60, 70 carriers writing policies, you have annual premiums of $2 billion and growing, which is I think big. I think that’s sizable,” Sasha Romanosky, a policy researcher at Rand Corp., said. “That’s not the level of car insurance or health, but it’s still significant.”

The surge led the National Association of Insurance Carriers to establish the Cybersecurity Task Force in 2014. Last year it adopted the “Principles for Effective Cybersecurity Insurance Regulatory Guidance” and the “NAIC Roadmap for Cybersecurity Consumer Protections” to help guide insurers.

In its 2015 survey of state CIOs, the National Association of State CIOs found that about 20 percent of respondents said purchasing cyber insurance policies was part of their cyber plans.

“I would say the number of states pursuing or seriously considering cyber insurance has increased since the release of that survey” in October, Meredith Ward, NASCIO’s senior policy analyst, told GCN.

Montana was the first state to establish a comprehensive cybersecurity insurance program, according to Dahl. The state signed up for cyber insurance in 2010 and pays $94,000 annually for its plan, which covers damages and claims expenses related to the theft, loss and unauthorized disclosure of information; alteration, corruption and deletion of private, non-public information caused by malicious code and/or service denial failure; or unauthorized sharing and unauthorized selling of private, non-public information. It also covers costs associated with breach notifications, investigations, credit monitoring and legal fees. The plan has a limit of $2 million per occurrence.

The coverage applies only to state-owned data, not devices, Dahl noted in the email.

Although the return on investment is tough to measure from year to year, Dahl said the amount the state spent between 2010 and 2014 was $159,000, which saved the state $2 million, putting the ROI for the first three years of the program at 1,258 percent.

Some insurers require agencies to have certain security measures in place before they will provide coverage. Montana didn’t have to make any changes to get coverage, but the state must show it’s taking actions to reduce risk each year, Dahl wrote. “At policy renewal, the state CISO must complete a cyber insurance application explaining what loss prevention measures/policies are in place vis-à-vis encryption, mobile device management, etc.,” he added. “We are continually working to improve the security processes. These measures are taken into account by the insurance carrier when determining the insurance premium.”

Fairfax County’s peace of mind

Money was on the minds of officials in Fairfax County, Va., when the self-insured county added cyber coverage about three years ago to help with forensics costs in the event of a breach, said Michael Dent, the county's chief information security officer.

“Cyber insurance was something that was on our radar as something we would need,” Dent said. “If we had a major breach, we would need financial help.”

To get coverage, county officials underwent a lengthy assessment process to ensure security standards were being met. They spent several months answering a questionnaire covering security basics, such as encryption and firewalls -- “everything you would expect to have in a security program on an enterprise,” Dent said.

So far, the county has not had to file any cyber insurance claims, Dent said. The county’s Risk Management Division ultimately decides whether any breach is significant enough to warrant a claim, he added.

“It’s an insurance policy that hopefully -- if we do our due diligence and we do what we’re supposed to do to protect the data -- it’s something I never have to use,” Dent said. “Just like when you’re driving a car, you hope you’re never in a wreck, but if you are, you hope have that insurance there to help you.”

Lessons learned in Georgia

The state of Georgia is shopping for cyber insurance now. Because it self-insures for many things, one of the first conversations that Steve Nichols, the state’s CTO, had with the risk management division leading the effort was about whether it made sense to spend more on security controls, as opposed to insurance -- a move he likened to adding locks to a house.

But the more he thought about it, the more he realized the insurance wouldn’t be used for something “like a house break-in. This is like the house catches fire and burns down…something really catastrophic,” Nichols said. “As we started to look at worst-case scenarios, we thought, ‘There’s probably some situations here that could go beyond our ability to self-insure.’”

But he’s not exactly putting together a wish list of coverage options. Because the policy will cover all state agencies, it has to consider all of their risk profiles as a single package. The state’s insurance broker, Marsh, is helping evaluate the requirements of the agencies, Nichols said.  “You’re really trying to package up a portfolio, and there’s going to be different risks,” he said.

One part of the process that surprised Calvin Rhodes, Georgia’s CIO and executive director of the Georgia Technology Authority, is that the information the state provides in its insurance application about its existing cybersecurity controls isn’t vetted until an incident occurs.

“The burden is on you to make sure that what you’re providing is correct,” he said. “If you need to use that policy in the future, they’re going to validate if what you told them [in the application] is correct or not,” Rhodes said.

It’s the “cyber insurance equivalent of photographing everything in your home before you have the break-in,” Nichols added.

Additionally, Georgia has found that no single underwriter is willing to take on more than about $10 million worth of coverage. As a result, the state isn’t selecting a single underwriter but rather a consortium that divides responsibility.

What’s more, the cyber insurance search has proved beneficial to the state’s overall cybersecurity efforts, Rhodes said.  Getting the agencies “more involved has created a greater focus on cyber and what we need to be doing to mitigate risk,” he said.

Cyber insurance: Looking ahead

Like most things in IT, cyber insurance has both pros and cons. The pros include financial protection for agencies in the event of a cyber incident. Additionally, applying for insurance gives entities an opportunity to assess and amend their current cybersecurity postures.

“There’s an opportunity by the insurance industry to drive policy,” Romanosky said. “They have an advantage over government mandates or regulations or even the legal system to induce companies to invest more in security.” Insurers that promise lower premiums to agencies that adopt specific controls, creates a huge incentive, he said.

One obvious downside to cyber insurance is cost. A 2013 Ponemon study found that 52 percent of respondents said their top reason for not buying cyber insurance was that premiums are too expensive. Expensive policies risk making insurance available only to the agencies with the biggest budgets, whereas it should be feasible for any, Romanosky said.

Another con, according to some critics, is that insurance can make agencies lax about cybersecurity.

“I think I’m going to suffer a loss, so I can either invest in cybersecurity to prevent that loss or I could just buy insurance to cover that loss should it happen,” Romanosky said. “Sometimes that’s a good tradeoff, but sometimes it’s not because it might induce reckless behavior.”

For Georgia’s Nichols, cyber insurance will be nice to have, but it’s not a silver bullet.

“Cyber insurance is just one tool in the toolbox. You don’t want it to be the tail wagging the dog,” Nichols said.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.