CISOs: Is Cyber Insurance On Your Radar?



Dan Gunderman
11/15/2017

There’s certainly buzz around state governments purchasing cyber insurance to safeguard their interests. But how complicated is it?

Cyber security is improving every day, as enterprises strive for full visibility, lead cyber training sessions and stand guard against a plethora of attacks. Even still, can large enterprises – such as state governments – better protect their future with cyber insurance?

The coverage could also help shield taxpayers from eating costs on significant breaches. If an attack were to transpire, insured enterprises might have to fork over a deductible, but their larger costs would be covered within the plan. This includes remedial steps, forensics investigations and credit monitoring, etc.

Utah’s Chief Information Officer Michael Hussey made the switch to cover cyber incidents in 2015, only after the state’s Department of Health was hacked, leading to the exposure of 780,000 medical records. Utah was forced to pay heavily into the recovery process, including legal fees and security assessments of state servers.

Hussey now calls the coverage a “big-budget” item, but something that will certainly protect the state in the case of a mega-breach, where tens of millions of dollars could be on the line. It currently pays $230,000 per year for $10 million coverage, with a $1 million deductible.

According to The Pew Charitable Trusts, about a dozen states have taken the insurance plunge. If an attack were to cripple one of these insured states, the providers would then pitch in for costs of investigating and restoring data. They would also provide legal and public relations services, along with other stabilizing features.

See Related: Microsoft President Requests 'Geneva Convention' For Cyber Warfare

Insurance

Likewise, businesses are also seeking cyber insurance. In 2016, insurers reportedly pulled in about $1.35 billion in premiums, a 35% increase from 2015. In 2017, state CIOs appear to have followed suit, with 38% of them reporting some sort of cyber insurance (up from 20% in 2015).

On whether cyber insurance will truly take hold in the immediate future, ASRC Federal’s Chief Information Security Officer, Darren Death, told CSHub, “I do think it will gain momentum.”

The trouble is, perhaps, in awareness, Death said. “Don’t expect normal business policies to cover you for cyber incidents. In fact, you will see standard policies exclude cyber. You will need to get a specific policy in most cases that supports cyber.”

The burgeoning cyber insurance field comes to its own as attacks have preyed on state and local governments, which hold sensitive information like social security and bank account numbers. Governments are also particularly susceptible to hacktivism, meaning leaks of sensitive information that hackers deem relevant to the public. But these same hackers could also disable websites, spread malware and demand ransoms.

James Lynch, chief actuary of the Insurance Information Institute, said that cyber insurance is no run-of-the-mill coverage. Due to evolving threats that emerge in various channels, defining coverage can be difficult.

See Related: Public Sector Advancing Cyber Security With Bill, Research

Because the operations of a state government are vast, it makes selling them cyber insurance even more difficult. Risk management and underwriting become particularly challenging, as information courses through countless channels within a government enterprise.

This also circles back to the governments themselves, who might not be privy to everything they must shop for.

With the help of a broker and numerous insurers, Georgia acquired what is believed to be the most comprehensive coverage. It reportedly amounts to $1.8 million per year in premium payments for $100 million coverage. There is also a $250,000 deductible per incident.

Once an enterprise is insured, however, the question becomes whether or not it will be lax in its cyber policing duties. The answer should be a resounding “no.”

Cyber insurance will “intensify efforts to secure networks,” Death told CSHub. “In order to gain coverage you must show adequate ‘cyber due diligence.’ Insurers will not insure a high-risk organization; or they will make the policy cost prohibitive.”

“If the CISO/CIO is lax, this will come out in any investigation and the insurer may not cover the insuree,” he added.