Montana, of all places, is where that conversation might start. Last year, at a bagel shop, Clark asked a special projects manager working in the state’s IT Services Division to investigate risk management and cyberinsurance. Stephen Forrest utilized his background as a former law clerk to write an informal white paper on the topic. The work argues that states should agree to a “standard of care” for information technology that would be legally defensible and also aid insurance brokers trying to assess risk and price affordable insurance plans. Forrest wrote that the National Institute of Standards and Technology’s Special Publication 800-53 could serve as the standard, since federal agencies already use this document as a benchmark for security, recovery and continuity criteria. Eventually states could be accredited on the standard, Forrest proposes, in order to give insurers further assurance.
Furthermore, Forrest advocates for a new job role called the chief information technology risk officer. A CITRO — not to be confused with the duties of a traditional chief information security officer — would focus on integrating the policy (such as cyberinsurance) enabling proper risk mitigation strategies. “The person would have some knowledge of law or insurance, bending toward that rather than IT,” Forrest said. The same skill set that makes a great technician or a great chief information security officer may not make a great CITRO — because they’re two different mindsets. The CITRO would be the go-between in the IT side of the house and the risk management officials who typically work within their own silo.
Forrest conceded that making these kinds of changes to IT management would force an evolution in how governments typically think about security and its relationship to risk management. A lot of states still believe IT risk management is about penetration testing and making certain that ports are secured. But this mentality of “we never can let anything bad happen” is unrealistic, Forrest said. “It’s the equivalent of saying that a doctor could never have a patient die on the operating table or a home could never burn for any reason,” he said. Instead, Forrest said governments would be better served practicing true risk management at the policy level, which includes insurance.
Some government security officers seem supportive of the idea, but they caution that there are many hurdles to overcome. “It’s not that I don’t think you should do everything in your resources and funding to do prevention — but the bottom line is you’re not going to be able to,” Masse said. “You will never be bulletproof. Never. You have insurance in all other aspects of your life. Why not for IT security?”
Still, carving out money from the budget to buy another insurance policy would be a tough sell. Masse said she also is concerned that Oregon would not be getting a good price because there isn’t a lot of information readily available for comparison. “I think that what we’ve been quoted seems high for us,” she said. The state’s risk managers are accustomed to paying less for other types of policies. Insurance brokers also need to understand that government doesn’t have as much money as corporations to spend, she said. Masse speculated that the higher rates could be due to the insurance industry’s perception that government IT is riskier than the private sector’s computer systems. The fact that governments continue to rely heavily on legacy systems doesn’t help, she added.
Dan Lohrmann, the chief security officer of Michigan, said another issue is a lack of motivation. Lawsuits against government must prove “gross negligence” — not just negligence (although Forrest said this “sovereign immunity” has eroded over the years). And many states have a history of being self-insurers, which basically means they handle the policies themselves. Furthermore, public-sector executives still prefer to spend precious dollars on fixing problem areas in security, Lohrmann said.
Politics also is involved, he said. He believes insurance won’t stop the negative publicity of a data breach, as in South Carolina and Utah. “Purchasing insurance implies a level of knowledge of the risks and acceptance of those risks. However, if a breach occurs, someone will suffer politically. The question will be: ‘Why didn’t you do more to stop the breach in the first place rather than buy the insurance?’”
Clark, though, sees insurance as a much-needed lifeline for a beleaguered CIO: “We need to start thinking of the private sector as our ally in this, and how we can start to mitigate and reduce our exposure, such as car or homeowners insurance. We need somebody who can impose a standard of care that can back us in court. What has happened right now is, if you get hacked it doesn’t matter how much good you did — you have no way of having anybody support you. You get fired as the CIO, the state takes the black eye, and there’s nobody there to help you.”
Clark hopes NASCIO can coordinate talks with the insurance industry. Masse, an executive committee member of the Multi-State Information Sharing and Analysis Center, said MS-ISAC also would be a good organization to get involved. In addition, she has talked with agency directors in Oregon state government, hoping to raise the issue’s profile.
The obstacles might seem insurmountable, but innovative thinking in the University of California’s Risk Management Office might show the way forward. Grace Crickette, chief risk officer of the university system, said that although cyberinsurance products are improving, they still weren’t attractive for campuses’ individual needs and the prices were high. And the overwhelming number of different computer systems operated by the university made it almost impossible to fill out a traditional application for insurance. Many of the systems are small and siloed, making an accurate inventory of risk a tall task.
“I think that the insurance community wants the underwriting to be very simple; they want to be able to get that insurance application in one system, like the make of a car — Ferrari or Volkswagen — and the model year,” Crickette explained. A complex organization like a city or state becomes challenging, if not painful, for insurance underwriters, she said.
So for three years, the University of California worked with insurance brokers in the U.S. and London on a new type of policy called “reverse underwriting.” This cutting-edge approach, as its name implies, flips underwriting upside down.
Consider how the car insurance business operates today: Agents write policies that cover cars individually, based on make and model, and the driver’s age and driving history. This process is fairly straightforward, done in a manner that the underwriter only has to check off a series of boxes. But doing that same process for risk assessment of IT in big universities and governments is simply unrealistic, Crickette said, because there are so many systems within one enterprise.
Reverse underwriting changes the game by agreeing to a set of controls ahead of time. In car insurance, these controls theoretically could be “no texting while driving” or “wearing a seatbelt.” For cybersecurity, a control could be the usage of encryption or password protection. If all of the agreed-upon controls are followed during a security incident, the claim is paid. But if a forensics team finds that any of the controls aren’t present, the claim is denied.
The University of California agreed to 18 of these controls in its cybersecurity insurance policy. “And it’s covered in a much more generous way than the typical policy,” Crickette said. “Not only are they going to pay for fines, which is unusual, they’re going to pay for litigation costs and breach response costs — it’s very holistic.” Coverage for data housed in third-party systems also was thrown in by the broker. So far this type of coverage has proved to be effective for the university, Crickette said, and she’s optimistic reverse underwriting could work well for cities, counties and states.
There are benefits to this unusual type of insurance, Crickette said. One is that when it’s time to talk about risk with users or IT managers at one of the university’s campuses, they can be told why their siloed server isn’t insured and what needs to be done to bring a system up to the security control standards. “It has helped us induce that conversation, and helps us persuade people to give up keeping data on their systems and move to our centralized system,” she said.
Main illustration by Tom McKeith