South Carolina is learning the hard way that the costs associated with a data breach can spiral upward in a hurry. Last year, hackers infiltrated a Department of Revenue computer system and swiped millions of unencrypted Social Security numbers and other personally identifiable information. The state reportedly has spent more than $20 million so far cleaning up the mess, including $12 million on credit monitoring services for affected citizens, and millions more on breach notification letters, security improvements, data forensics teams and IT consultants. And South Carolina isn’t done opening its wallet — state agencies beyond the revenue department likely will request more funding to make IT security improvements of their own.
Although South Carolina’s woes are an extreme example — one security expert branded the hacking “the mother of all data breaches” — the incident shows how much an organization should expect to pay out to remediate a large-scale data breach. Other government agencies are dealing with the sticker shock. A separate high-profile breach last year of health-care data in Utah, for example, is costing millions; officials there spent hundreds of thousands of dollars alone on a crisis communications team. These figures aren’t outliers: A study conducted last year by the Ponemon Institute found that cybercrime cost the average U.S. organization $8.9 million annually.
If stolen data were treated like physical property, the out-of-pocket costs wouldn’t be as high. When a burglar steals a TV set, a homeowner is compensated if he or she bought a homeowners insurance policy. The same applies for car accidents. An insured driver who isn’t at fault in a car wreck won’t have to shell out as much money. Some public-sector officials and brokers in the insurance industry think the time has come to apply these same principles in the world of government IT. A small portion of local and state governments already have purchased what’s known as “cybersecurity insurance,” and at least a few officials think it’s time to start talking about the idea more seriously.
“The probabilities are such, because your networks and services are so complex and integrated now, that you can’t cover up every manhole. Sooner or later someone is going to get through,” said Dick Clark (pictured left), the former CIO of Montana who retired last year, about the state’s rationale for buying cyberinsurance. Montana recently joined the few states believed to carry some form of the insurance. Clark said if Montana suffered a South Carolina-style data breach, his state would have a tough time covering the $10 million or $20 million cost. Montana likely would have to raid its general fund to cover the expense, he said. States and cities, Clark said, need to be aware that a data breach can bring a swath of unplanned costs.
Cybersecurity coverage isn’t a new product in the insurance marketplace. In fact, one researcher traced its roots back to the 1970s. But the action really started in the run-up to Y2K and after 9/11, a time in history when banks and big corporations realized that they were vulnerable in the online, interconnected world.
Unlike homeowners’ policies, which have become fairly standardized, cybersecurity policies vary widely in their underwriting approach depending on the broker, said Emily Freeman, executive director of the technology and intangibles risk practice at Lockton, a worldwide insurance broker based in London. Some insurance carriers sell comprehensive cybersecurity policies covering a wide range of expenses related to damages resulting from security and privacy liability — such as litigation costs and fines emanating from the violation of privacy laws; or expenditures on services like data forensics and mandatory breach notifications; as well as credit monitoring, which South Carolina and Utah paid. Other brokers sell these coverage areas separately from a menu, Freeman said.
As many as 50 different insurance brokers are selling cybersecurity insurance, and the customer base is growing among corporations, hospitals and universities, Freeman said. (A 2012 survey of public companies by the Chubb Group found that 35 percent of public companies do purchase liability insurance related to cybersecurity.) But uptake by municipalities and other public-sector entities in the U.S. has been a very slow process, she said. “From what I have seen, there is not real clarity from governments — a lack of putting together what their security picture is when it’s time to sit down and write a policy,” Freeman said. Therefore, it’s difficult for underwriters to assess risk. Government risk officers and insurance commissioners, meanwhile, counter that they need more information and education about cyberinsurance products, as well as true dialog with the industry before they buy. Some have likened the situation to two poker players who don’t know each other’s cards and therefore aren’t willing to bet.
The little research available on cyberinsurance confirms that sales to government are meager. Only a small percentage of counties purchase the coverage offered by brokers that sell insurance through state-level county associations, according to a news report in January from the National Association of Counties. Similarly, states aren’t believed to be buying it in large numbers either. Montana is one of the few, but its policy is capped at a modest $2 million maximum in coverage, Clark said. Nobody, it seems, knows what coverage — if any — anybody else has.
The slow growth and lack of information could be because the market isn’t fully mature. The U.S. Department of Homeland Security (DHS) hosted a workshop last fall in Arlington, Va., attended by insurance carrier representatives (including Lockton’s Freeman), corporate risk officers, IT experts and others to discuss the state of the cybersecurity insurance market. The participants identified several obstacles impeding growth: a lack of shared data or metrics about breaches and cyber-risk; tremendous confusion about who assumes the risk when data is managed by a third party via cloud computing or outsourcing; and the industry’s reluctance to assume risk for fear that a so-called “Cyber Pearl Harbor” could lead to massive financial losses. The DHS said developing common cybersecurity standards and best practices would go a long way to growing this underdeveloped segment of the insurance market.
“I don’t think it’s on a lot of radar screens in government yet, but it should be,” said Theresa Masse, chief information security officer of Oregon. “This insurance is so new that there’s just a lot of misunderstanding and confusion.” She wants to elevate this issue to a national level so that localities, state and federal governments begin talking seriously with insurance companies.
Montana, of all places, is where that conversation might start. Last year, at a bagel shop, Clark asked a special projects manager working in the state’s IT Services Division to investigate risk management and cyberinsurance. Stephen Forrest utilized his background as a former law clerk to write an informal white paper on the topic. The work argues that states should agree to a “standard of care” for information technology that would be legally defensible and also aid insurance brokers trying to assess risk and price affordable insurance plans. Forrest wrote that the National Institute of Standards and Technology’s Special Publication 800-53 could serve as the standard, since federal agencies already use this document as a benchmark for security, recovery and continuity criteria. Eventually states could be accredited on the standard, Forrest proposes, in order to give insurers further assurance.
Furthermore, Forrest advocates for a new job role called the chief information technology risk officer. A CITRO — not to be confused with the duties of a traditional chief information security officer — would focus on integrating the policy (such as cyberinsurance) enabling proper risk mitigation strategies. “The person would have some knowledge of law or insurance, bending toward that rather than IT,” Forrest said. The same skill set that makes a great technician or a great chief information security officer may not make a great CITRO — because they’re two different mindsets. The CITRO would be the go-between in the IT side of the house and the risk management officials who typically work within their own silo.
Forrest conceded that making these kinds of changes to IT management would force an evolution in how governments typically think about security and its relationship to risk management. A lot of states still believe IT risk management is about penetration testing and making certain that ports are secured. But this mentality of “we never can let anything bad happen” is unrealistic, Forrest said. “It’s the equivalent of saying that a doctor could never have a patient die on the operating table or a home could never burn for any reason,” he said. Instead, Forrest said governments would be better served practicing true risk management at the policy level, which includes insurance.
Some government security officers seem supportive of the idea, but they caution that there are many hurdles to overcome. “It’s not that I don’t think you should do everything in your resources and funding to do prevention — but the bottom line is you’re not going to be able to,” Masse said. “You will never be bulletproof. Never. You have insurance in all other aspects of your life. Why not for IT security?”
Still, carving out money from the budget to buy another insurance policy would be a tough sell. Masse said she also is concerned that Oregon would not be getting a good price because there isn’t a lot of information readily available for comparison. “I think that what we’ve been quoted seems high for us,” she said. The state’s risk managers are accustomed to paying less for other types of policies. Insurance brokers also need to understand that government doesn’t have as much money as corporations to spend, she said. Masse speculated that the higher rates could be due to the insurance industry’s perception that government IT is riskier than the private sector’s computer systems. The fact that governments continue to rely heavily on legacy systems doesn’t help, she added.
Dan Lohrmann, the chief security officer of Michigan, said another issue is a lack of motivation. Lawsuits against government must prove “gross negligence” — not just negligence (although Forrest said this “sovereign immunity” has eroded over the years). And many states have a history of being self-insurers, which basically means they handle the policies themselves. Furthermore, public-sector executives still prefer to spend precious dollars on fixing problem areas in security, Lohrmann said.
Politics also is involved, he said. He believes insurance won’t stop the negative publicity of a data breach, as in South Carolina and Utah. “Purchasing insurance implies a level of knowledge of the risks and acceptance of those risks. However, if a breach occurs, someone will suffer politically. The question will be: ‘Why didn’t you do more to stop the breach in the first place rather than buy the insurance?’”
Clark, though, sees insurance as a much-needed lifeline for a beleaguered CIO: “We need to start thinking of the private sector as our ally in this, and how we can start to mitigate and reduce our exposure, such as car or homeowners insurance. We need somebody who can impose a standard of care that can back us in court. What has happened right now is, if you get hacked it doesn’t matter how much good you did — you have no way of having anybody support you. You get fired as the CIO, the state takes the black eye, and there’s nobody there to help you.”
Clark hopes NASCIO can coordinate talks with the insurance industry. Masse, an executive committee member of the Multi-State Information Sharing and Analysis Center, said MS-ISAC also would be a good organization to get involved. In addition, she has talked with agency directors in Oregon state government, hoping to raise the issue’s profile.
The obstacles might seem insurmountable, but innovative thinking in the University of California’s Risk Management Office might show the way forward. Grace Crickette, chief risk officer of the university system, said that although cyberinsurance products are improving, they still weren’t attractive for campuses’ individual needs and the prices were high. And the overwhelming number of different computer systems operated by the university made it almost impossible to fill out a traditional application for insurance. Many of the systems are small and siloed, making an accurate inventory of risk a tall task.
“I think that the insurance community wants the underwriting to be very simple; they want to be able to get that insurance application in one system, like the make of a car — Ferrari or Volkswagen — and the model year,” Crickette explained. A complex organization like a city or state becomes challenging, if not painful, for insurance underwriters, she said.
So for three years, the University of California worked with insurance brokers in the U.S. and London on a new type of policy called “reverse underwriting.” This cutting-edge approach, as its name implies, flips underwriting upside down.
Consider how the car insurance business operates today: Agents write policies that cover cars individually, based on make and model, and the driver’s age and driving history. This process is fairly straightforward, done in a manner that the underwriter only has to check off a series of boxes. But doing that same process for risk assessment of IT in big universities and governments is simply unrealistic, Crickette said, because there are so many systems within one enterprise.
Reverse underwriting changes the game by agreeing to a set of controls ahead of time. In car insurance, these controls theoretically could be “no texting while driving” or “wearing a seatbelt.” For cybersecurity, a control could be the usage of encryption or password protection. If all of the agreed-upon controls are followed during a security incident, the claim is paid. But if a forensics team finds that any of the controls aren’t present, the claim is denied.
The University of California agreed to 18 of these controls in its cybersecurity insurance policy. “And it’s covered in a much more generous way than the typical policy,” Crickette said. “Not only are they going to pay for fines, which is unusual, they’re going to pay for litigation costs and breach response costs — it’s very holistic.” Coverage for data housed in third-party systems also was thrown in by the broker. So far this type of coverage has proved to be effective for the university, Crickette said, and she’s optimistic reverse underwriting could work well for cities, counties and states.
There are benefits to this unusual type of insurance, Crickette said. One is that when it’s time to talk about risk with users or IT managers at one of the university’s campuses, they can be told why their siloed server isn’t insured and what needs to be done to bring a system up to the security control standards. “It has helped us induce that conversation, and helps us persuade people to give up keeping data on their systems and move to our centralized system,” she said.
Main illustration by Tom McKeith