Cyber-Exposure: Government Lags Private Sector in Buying Cyberinsurance

More governments are protecting their IT assets with cyberinsurance. Here’s what you need to know when considering a policy.

by Robert Lemos / October 4, 2016
Lynne Pizzini, chief information security officer and deputy CIO, Montana Kelly Gorham

Editor's note: This is part one in a three-part series on what you need to know when considering a cyberinsurance policy. Read part two. Read part three.

In 2014, a contractor for the government of Montana noticed signs of hacking on a server belonging to the state’s Department of Public Health and Human Services.

The incident — which state officials do not classify as a “breach” as no data was thought to be lost — put millions of citizens’ records at risk. While investigators found no signs that the data had been leaked, state officials triggered their 6-year-old cyberinsurance policy to help in notifying 1.2 million past and present Montana residents and providing a call center to answer questions, said Lynne Pizzini, chief information security officer (CISO) and deputy CIO of Montana.

“We have 1 million residents and we sent 1.2 million letters, so that kind of tells you that we were right at the edge — this is one of the largest incidents we will see,” she said, adding that the state’s cyberinsurance policy was invaluable. “People ask if you need to pay for cyberinsurance, and I think you do, because we all know that it is not if, but when, you have a breach.”

Lynne Pizzini, CISO and deputy CIO, Montana. Photo by Kelly Gorham

The state has to date put no price tag on the incident, which is still being investigated, but it likely could have cost Montana millions of dollars. Yet, while the insurance coverage for monetary damage is important to protect taxpayers, a more significant value of cyberinsurance is that state and local governments have a partner to work with during an incident, Pizzini said.

“The fact that insurance provides all those things that you need in the time of an incident, and they are automatically in place and you can utilize them, is huge,” she said. “We had forensics capability immediately, and we had counsel. They had a communications plan we could utilize and a call center — all of those things you need in the time of an incident.”

The insurance industry is looking at a tremendous demand for cyberinsurance. Increasing concerns about breaches and cyber-risks drove a 27 percent annual increase in the purchase of cyberinsurance policies, according to insurance broker Marsh. Across the industry, about a quarter of insurance brokers’ clients have purchased some form of cyberinsurance, a significant proportion given that only 35 percent of clients have an information security program in place, according to the Council of Insurance Agents and Brokers. 

More than 60 different insurers now have insurance products aimed at offsetting cyber-risk.

Yet government agencies have been among the slowest adopters. While 37 percent of financial services firms and 29 percent of retail companies had a cyberinsurance policy in 2013, only 19 percent of government agencies had insured themselves against breaches, according to a survey conducted by the Ponemon Institute. In 2015, only 20 percent of state CIOs had purchased cyberinsurance, according to a survey conducted by the National Association of State Chief Information Officers.

“If everyone in the private sector is buying cyberinsurance, why is the government not doing the same thing?” asked Jake Olcott, vice president of business development at BitSight Technologies, which rates the security of companies for insurers, among other clients. “As far as I know, there is no governmentwide policy about insurance that government agencies are supposed to buy or take out. … This is an area where the government is behind the private sector.”