Not everyone’s convinced of the value, but public CIOs must be involved in the decision.
When it comes to breaches in electronic data, and the compromise of citizens’ private information, South Carolina has set the standard. In fall 2012, the state’s Department of Revenue announced that some 3.6 million Social Security numbers and 387,000 credit and debit card numbers had been exposed in a cyberattack.
It proved a pricey event. The state forked over $12 million for credit monitoring, $5.6 million for stronger encryption and $1.3 million to notify taxpayers. In all, the South Carolina Budget and Control Board approved a $20.1 million loan to cover costs associated with the breach.
Maybe there’s a better way. Given the spate of cyberattacks in the private and public sectors, some municipalities have sought to inoculate themselves against such catastrophic loss through a vehicle known as cyberinsurance. Just as it sounds, cyberinsurance indemnifies a state, county or city against a range of losses caused by compromised technology.
Mesa, Ariz., Manager of Technology and Innovation Alex Deshuk believes in the value of such coverage. Since late 2013 the city has carried insurance for up to $20 million in cyberdamage, paying a few tens of thousands of dollars for the policy.
With 4,000 employees and about as many computers in use, the prospect of a breach of data or privacy can’t be overlooked. “It is part of our general risk assessment to look at all our risks through all of our assets, and cyberassets are important,” Deshuk said. “They have value just like any tangible asset, and there is always some risk to that.”
While the nature of that risk may vary widely, there are some common elements among today’s cyberinsurance policies. In most cases, such insurance covers:
Crisis management, which may include the expense of investigating an incident and remediating networks.
Notification, which would cover the cost of notifying all individuals potentially impacted by the loss of data.
Municipal loss such as theft of city or county funds, or fines and penalties assessed.
Third-party coverage to pay for issues like defacement of a website or loss of intellectual property due to an attack on the government’s systems. This might include denial of service to a third party’s systems or costs related to theft from a third party.
To gauge the potential loss for a single incident, consider a 2013 NetDiligence study. Looking only at the legal costs associated with 29 separate incidents, researchers saw defense expenses run as high as $10 million and settlement costs as high as $20 million. (Mean costs were $575,000 and $258,000, respectively.)
It takes a deft hand to estimate the amount of coverage one might actually need. How likely is a breach? How often? How widespread? What might be lost? Given the many variables, some municipalities will no doubt be challenged to determine the right amount of coverage.
“We took it from the worst-case scenario,” Deshuk said. His team worked with the city’s risk assessors to examine assets, possible threats and deployed defenses. In the end, they opted to insure against 10 percent of their estimated greatest possible loss. Certainly this leaves a big window for potential catastrophe, “but we felt that the likelihood of that kind of event is relatively low.”
Some say this exercise in risk assessment may in itself be one of the great benefits of shopping for cyberinsurance.
As an in-depth asset exploration and process control, “the application process itself acts as a risk management tool,” said Matt Prevost, Philadelphia Insurance Companies’ product manager for cyberinsurance. As with most such policies, this insurer’s cybercoverage includes first- and third-party coverage, loss of digital assets, business interruption, cyberextortion and even the impact of cyberterrorism.
To fully indemnify cyber-risks, civic leaders must consider more than just their digital assets. “For example, who you will be dealing with when breach time comes is a big question,” Prevost said. “You need to know the right steps to take immediately. You want to have a response template built in as part of that insurance coverage.”
To make that happen, all relevant players must come together to discuss possible scenarios. As a result, IT may find itself occupying a new seat at the table. “Planning for cyberinsurance brings the systems administrator and the CTO into the risk management conversation, which typically hasn’t happened before through the insurance buying process. This is a big point in time where the IT team can join that risk management equation,” Prevost said.
That coming-together effect is more than just a bonus. It’s fundamental to government’s efforts to secure what is still a relatively new form of coverage.
“We see applications that have been filled out by someone who is clearly not a tech expert, and that’s where that squeamishness comes into play, just because they may not understand what they are reading,” said Karl Pedersen, senior vice president at insurance brokerage Willis. “When we include somebody from the tech side of the house in our conversation, it tends to be much more productive.”
Looking out over the landscape of cyberinsurance, Pedersen tells his government customers that not all policies are created equal. What are the key points of comparison?
Unencrypted media exclusion. Some insurers will decline to cover losses that come as a result of unencrypted media. Take for instance the all-too-common scenario of an employee who takes home a laptop or flash drive. As custodian of that data, government officials will want to indemnify their potential loss, whether or not the data is encrypted.
Timing is crucial. Many policies will pay only on losses that are reported during the period of coverage. In reality, you may not hear about a loss for weeks or even months after the fact. It takes time for these things to come to light. Look for a policy that has a retroactive date, with coverage beginning at least two years prior to the policy’s effective date and extending out beyond the life of the policy as well.
Rogue employees. Suppose someone on the IT team walks off with the encryption keys, effectively compromising the whole network. Not every policy will recognize this as a cyberbreach. It is, and it merits coverage.
Paper — really? Data doesn’t just live in the box on your desk or on a server. It also lives in a cardboard box in the basement. Paper records are data too, and they should be included in any policy that indemnifies against the loss of data. It may seem counterintuitive — a cyberpolicy that covers reams of 8.5 x 11 information — but a good policy will recognize it as all being on the same continuum. “People assume we are only talking about electronic data, but really this is about privacy, regardless of the format,” Pedersen said.
For many at the state and local level, the quest for cyberinsurance has not yet come down to comparing the nuances of different policies: They’re still at the starting gate. Despite the rash of high-profile digital attacks on national retailers, the reality of a cyberthreat has not yet hit home among all municipal leaders.
In Arizona, state IT leaders have successfully made the case for coverage, with insurance in place to protect against loss in a central state data center. Winning buy-in from other government leaders has taken some finesse, said Deputy State CIO Phil Manfredi.
“It’s about outreach and training and education — not just the employees but the legislature as well,” Manfredi said. “Security is extremely complicated, there are layers upon layers, so you need to have the kind of relationship with the legislature where you can communicate the importance in these areas.”
Often this means IT must discipline itself to sidestep the gory technical details and focus on the big picture. “The challenge is that everybody is on different levels of experience. So I start with the threat landscape: Who is trying to attack us, why are they trying to attack us and how often?” said Arizona Chief Information Security Officer Mike Lettman. “That kind of conversation is always an eye opener, when they begin to see how persistent those people are in trying to get our data.”
Some IT leaders, on the other hand, have yet to convince themselves of the merits of coverage. In Fort Worth, Texas, for instance, CIO Peter Anderson has been leading an exploration of the topic since mid-2013.
In principle, Anderson would like enough coverage to restore his data and systems, offset lost time and productivity, indemnify against a stolen laptop, among other things. He also wants to know he’d be covered against more than just hackers. “We know there have been instances across the country where folks have had damage to their systems caused by fire or flood. Even if you back up tape somewhere offsite, to recover those can be fairly expensive,” he said.
So far he’s priced such coverage at $2,400 to $7,500 a year. “To me, that range seems reasonable, given the potential risk and all the things that could happen, given the magnitude of what it could look like,” he said. Still, he finds it hard to be confident in any price tag. Health-care insurance, auto coverage — these are known quantities, based on untold reams of data. “But for a city, there is relatively little historical data that you can look at from other cities.”
Analysts say this lack of data is a crucial element in the cautious development of cyberinsurance across all sectors, including government. “Insurance pricing is not feasible without standards against which to measure conduct, as well as liability that arises from failure to meet those standards,” the Heritage Foundation reports. “In the cyberdomain, neither is currently available. There are no generally accepted cybersecurity standards, and there is no generally applicable liability system in place to account for failures to meet those standards.”
Despite such uncertainties, Anderson is pushing for a yes from the City Council. Considering the manifold risks in today’s cyberenvironment, “from my perspective, we should do it,” he said.
But wait. Perilous as the digital landscape may be, some municipal IT leaders are holding back. There may be risks, they say, but to pay for insurance is overkill.
Hillsborough County, Fla., Tax Collector’s Office, Director of Information Services Kirk Sexton is happy to enumerate all the reasons why his office doesn’t need cybercoverage.
His office encrypts credit card data at the point of scan.
There’s a single data center with limited access.
Staff turnover is low, and everyone gets mandatory cybertraining.
The county collects tax on 600,000 parcels, moving $2 billion a year through all its various transactions, but it’s a limited pool of individuals, far smaller than the tens of millions of Target customers — and the county knows where most of them live, should notification become necessary. “So when we look at our maximum exposure, we say that even if they got every single credit card, which is highly unlikely, the loss is going to be substantially less than in a case like Target,” Sexton said.
His verdict: “Unless there is a class-action suit brought against us, we would not be that concerned about it.”
So why pay the premiums?
For many, cybercoverage may turn on the question of money. Pedersen said a state will typically pay $15,000 to $20,000 for every $1 million in coverage. A typical state cyberpolicy may run $20 million to $30 million. You may want it, may even think you need it, but ultimately the arrival of cyberinsurance on the government landscape will likely come down to the same old question: Can you afford it?