Public-sector organizations are buying “cyber insurance” policies much less frequently than other major sectors of the U.S. economy, according to a new study released Wednesday, Aug. 7 by an independent data and security research firm.

The findings from the Ponemon Institute discovered that only 19 percent of survey respondents from government agencies said their organization has procured such a policy, which can help mitigate the financial risk associated with a cyberattack by covering expenses such as legal defense costs, computer forensics, breach notification and remediation, and credit monitoring services.

The public-sector vertical trails other sectors by at least 10 percentage points: Technology and software leads the way with a 41 percent adoption rate, followed by financial services (37 percent), services (36 percent); retail (29 percent) and health and pharmaceuticals (29 percent).

The survey of 638 risk management professionals was sponsored by Experian Data Breach Resolution, which counts several government agencies among its clients.

Michael Bruemmer, the company’s vice president, said there are a few reasons why sales are lagging among government entities. One is that some government agencies say their charter or legislation forbids them from taking out a policy that extends beyond the minimum liability coverage, he said. Another challenge is that governments have a hard time accurately describing the details of how their data is secured to the satisfaction of insurers.

And perhaps most troublesome, Bruemmer said some governments are uninsurable in the eyes of insurance carriers because the agencies lack the systems, technical expertise and personnel to secure high-value data such as personal and financial information to current industry standards.

“The level of protection does not match the value of what they’re protecting,” Bruemmer said.

The survey findings appear to corroborate what public-sector CIOs and insurance industry professionals told Public CIO earlier this year: Governments and cyber insurers are having a hard time understanding each other and sales of the insurance policies to the public sector are meager.

Indeed, several governments that have suffered high-profile and costly data breaches in recent years, including massive breaches at the South Carolina Department of Revenue and the Utah Department of Health, did not carry a cyber insurance policy at the time of the incidents and were forced to spend millions of dollars to clean up.

Bruemmer said there are some indications within the survey data that cyber insurance will become more common. Thirty-nine percent of respondents said their organization plans to purchase such an insurance policy in the next 12 months. When they do start buying, they’ll have more coverage options to choose from. During the last few months, big insurance carriers have entered the cyber coverage marketplace for the first time, Bruemmer said.

“Cyber insurance is still in its toddler-adolescent stage, and there’s a long way to grow,” Bruemmer said.

Cyber insurance also could soon get a boost from the White House. A blog from the Obama administration this week outlined several measures that could potentially incentivize private companies to comply with a voluntary cybersecurity standards framework the president introduced earlier this year in an executive order.

“The goal of this collaboration would be to build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market,” wrote Michael Daniel, a special assistant to the president and cybersecurity coordinator.

Among the Ponemon Institute’s survey’s other noteworthy findings:

  • 62 percent said cyber insurance improves their organization’s “security posture and readiness.”
  • 70 percent of those organizations with cyber insurance have experienced a security exploit or data breach and have filed a claim for losses
  • 95 percent rated their insurer’s responsiveness to a cyber insurance claim as “good” to “excellent”
  • 62 percent said premiums are a fair price given the nature of the risk
  • 56 percent of all respondents said their organization had experienced a security exploit or data breach sometime during the past 24 months
  • The 56 percent that had breaches reported an average cost of $9.4 million for these incidents in the last 24 months.

The full report, Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age, is available from Experian.

Matt Williams Matt Williams  |  Contributing Writer

Matt Williams was previously the news editor of Govtech.com, and is now a contributor to Government Technology and Public CIO magazines.