South Carolina is learning the hard way that the costs associated with a data breach can spiral upward in a hurry. Last year, hackers infiltrated a Department of Revenue computer system and swiped millions of unencrypted Social Security numbers and other personally identifiable information. The state reportedly has spent more than $20 million so far cleaning up the mess, including $12 million on credit monitoring services for affected citizens, and millions more on breach notification letters, security improvements, data forensics teams and IT consultants. And South Carolina isn’t done opening its wallet — state agencies beyond the revenue department likely will request more funding to make IT security improvements of their own.
Although South Carolina’s woes are an extreme example — one security expert branded the hacking “the mother of all data breaches” — the incident shows how much an organization should expect to pay out to remediate a large-scale data breach. Other government agencies are dealing with the sticker shock. A separate high-profile breach last year of health-care data in Utah, for example, is costing millions; officials there spent hundreds of thousands of dollars alone on a crisis communications team. These figures aren’t outliers: A study conducted last year by the Ponemon Institute found that cybercrime cost the average U.S. organization $8.9 million annually.
If stolen data were treated like physical property, the out-of-pocket costs wouldn’t be as high. When a burglar steals a TV set, a homeowner is compensated if he or she bought a homeowners insurance policy. The same applies for car accidents. An insured driver who isn’t at fault in a car wreck won’t have to shell out as much money. Some public-sector officials and brokers in the insurance industry think the time has come to apply these same principles in the world of government IT. A small portion of local and state governments already have purchased what’s known as “cybersecurity insurance,” and at least a few officials think it’s time to start talking about the idea more seriously.
“The probabilities are such, because your networks and services are so complex and integrated now, that you can’t cover up every manhole. Sooner or later someone is going to get through,” said Dick Clark (pictured left), the former CIO of Montana who retired last year, about the state’s rationale for buying cyberinsurance. Montana recently joined the few states believed to carry some form of the insurance. Clark said if Montana suffered a South Carolina-style data breach, his state would have a tough time covering the $10 million or $20 million cost. Montana likely would have to raid its general fund to cover the expense, he said. States and cities, Clark said, need to be aware that a data breach can bring a swath of unplanned costs.
Cybersecurity coverage isn’t a new product in the insurance marketplace. In fact, one researcher traced its roots back to the 1970s. But the action really started in the run-up to Y2K and after 9/11, a time in history when banks and big corporations realized that they were vulnerable in the online, interconnected world.
Unlike homeowners’ policies, which have become fairly standardized, cybersecurity policies vary widely in their underwriting approach depending on the broker, said Emily Freeman, executive director of the technology and intangibles risk practice at Lockton, a worldwide insurance broker based in London. Some insurance carriers sell comprehensive cybersecurity policies covering a wide range of expenses related to damages resulting from security and privacy liability — such as litigation costs and fines emanating from the violation of privacy laws; or expenditures on services like data forensics and mandatory breach notifications; as well as credit monitoring, which South Carolina and Utah paid. Other brokers sell these coverage areas separately from a menu, Freeman said.
As many as 50 different insurance brokers are selling cybersecurity insurance, and the customer base is growing among corporations, hospitals and universities, Freeman said. (A 2012 survey of public companies by the Chubb Group found that 35 percent of public companies do purchase liability insurance related to cybersecurity.) But uptake by municipalities and other public-sector entities in the U.S. has been a very slow process, she said. “From what I have seen, there is not real clarity from governments — a lack of putting together what their security picture is when it’s time to sit down and write a policy,” Freeman said. Therefore, it’s difficult for underwriters to assess risk. Government risk officers and insurance commissioners, meanwhile, counter that they need more information and education about cyberinsurance products, as well as true dialog with the industry before they buy. Some have likened the situation to two poker players who don’t know each other’s cards and therefore aren’t willing to bet.
The little research available on cyberinsurance confirms that sales to government are meager. Only a small percentage of counties purchase the coverage offered by brokers that sell insurance through state-level county associations, according to a news report in January from the National Association of Counties. Similarly, states aren’t believed to be buying it in large numbers either. Montana is one of the few, but its policy is capped at a modest $2 million maximum in coverage, Clark said. Nobody, it seems, knows what coverage — if any — anybody else has.
The slow growth and lack of information could be because the market isn’t fully mature. The U.S. Department of Homeland Security (DHS) hosted a workshop last fall in Arlington, Va., attended by insurance carrier representatives (including Lockton’s Freeman), corporate risk officers, IT experts and others to discuss the state of the cybersecurity insurance market. The participants identified several obstacles impeding growth: a lack of shared data or metrics about breaches and cyber-risk; tremendous confusion about who assumes the risk when data is managed by a third party via cloud computing or outsourcing; and the industry’s reluctance to assume risk for fear that a so-called “Cyber Pearl Harbor” could lead to massive financial losses. The DHS said developing common cybersecurity standards and best practices would go a long way to growing this underdeveloped segment of the insurance market.
“I don’t think it’s on a lot of radar screens in government yet, but it should be,” said Theresa Masse, chief information security officer of Oregon. “This insurance is so new that there’s just a lot of misunderstanding and confusion.” She wants to elevate this issue to a national level so that localities, state and federal governments begin talking seriously with insurance companies.