Cyber-Exposure: The Value of Cyberinsurance Goes Beyond Compensation

Having cyberinsurance means not only offsetting the monetary risk, but also better responding to the breach.

by Robert Lemos / October 5, 2016
Steve Nichols, chief technology officer, Georgia Technology Authority David Kidd/e.Republic

Editor's note: This is part two in a three-part series on what you need to know when considering a cyberinsurance policy. Read part one. Read part three.

While large government agencies can, and often do, self-insure, dealing with the monetary losses surrounding a breach is only part of the value of cyberinsurance. Government networks are so varied, linking citizen data and operational infrastructure networks, that a breach could be very serious and responding to one can be complex.

To offset the risk, governments are increasingly looking at cyberinsurance. The state of Georgia, for example, is currently in the process of purchasing it.

“If you start contemplating a breach of tens of millions of dollars, that’s a big hit for even a state to take,” said Steve Nichols, CTO of the Georgia Technology Authority, which manages information technology for the state.

San Diego has 1.4 million citizens and 24 different networks that connect city bureaus and departments, more than 400 applications, numerous smart devices, a fleet of police cars and point-of-sale systems. The sheer variety of systems means that a breach could cost anywhere from tens of thousands of dollars to, in an absolute worst case, a half billion dollars, said Gary Hayslip, deputy director of the Department of Information Technology and CISO of San Diego.

Having cyberinsurance means not only offsetting the monetary risk, but also better responding to the breach, he said.

“It is one of the things that you hope you never have to use, but in today’s environment and with the technologies that we are moving into — we are moving to the cloud and we have smart city initiatives — you need to have cyberinsurance as the security blanket behind the scene,” he said.

Hayslip and other state and municipal CIOs and CISOs agreed: While the coverage for damages is an important part of cyberinsurance, the most valuable aspect is the expertise that insurance companies and their partners can provide to agencies dealing with a breach.

Buying the Right Policy

Because there are no standard policies, getting cyberinsurance can be a lengthy process for any government agency. Here are some tips:

// Get enough coverage
The cost of breaches can be astronomical. Following its breach in 2013, retail giant Target has incurred more than $291 million in costs associated with the compromise, only $90 million of which was covered by insurance. Government agencies should construct breach scenarios to estimate the insurance limits needed. The city of Phoenix, for example, bought $10 million in insurance to cover potential losses.

// Beware of exceptions
When Georgia looked at initial policy proposals, there were too many exemptions. The biggest differentiator for many insurers is what incidents and triggers they exempt from coverage. Some companies exempt breaches involving unencrypted data, while others require that USB drives must be barred from use. When the Georgia Technology Authority looked for a policy, it had to sift through them and decline those with too many exemptions, said CTO Steve Nichols. “In one case, they basically wanted to exempt lost laptops, and that does not help us at all,” he said.

// Test all scenarios
To check policies and prepare for possible breaches, government agencies should regularly run incident-response exercises. Such tabletop exercises are particularly important when evaluating insurance policies to make sure common incidents are covered, said Gary Hayslip, San Diego CISO. “You do incident-response tabletop exercises where you go through different types of scenarios: how bad could it actually get, how will you respond and what kind of damage you would take,” he said. “Then you start taking a look at what you can handle in house, what you have to outsource and what would be covered by an insurance policy. By doing that, you can figure out whether the insurance policy is worth the paper it’s written on.”