While offsetting the cost of a data breach is the most common coverage for cyberinsurance, policies may cover physical cyber-risks as well, such as the danger of attacks on utilities and medical facilities, and property damage and injury from cyberattacks.
As the ninth-largest U.S. state, Georgia has faced a long process to find an appropriate insurance policy. Because the state has so many different departments and bureaus — not to mention state universities and colleges — finding a solution to insure much of the infrastructure against breaches and cyber-risk has taken a long time.
“The underwriters have trouble getting their head around that there are different agencies, each with their own security processes,” said Steve Nichols, CTO of the Georgia Technology Authority.
The complexity, uneven security controls, and the fact that agencies have access to comprehensive information on citizens often means that insurers are leery about underwriting policies for states, he said. In addition, added complexity means a higher premium rate: While an industry norm is a $10,000 annual premium for $1 million in coverage, Georgia has to deal with quotes much higher than that.
“The industry is realizing that these things can run way past the policy limit; that can happen very easily,” said Nichols. “So everyone is gun-shy about taking on a policy for a state. We were taken aback by the number of companies that don’t underwrite this domain.”
While government has many of the same threats as private-sector companies, the infrastructure that states and municipalities manage can be more varied and more critical than the average company, said Denise Olson, chief financial officer of Phoenix.
“We, as a government agency, have to be more cautious,” she said. “We do have systems related to the water department and we have information on citizens. I think municipalities need to take additional means to protect our systems.”
Phoenix bought a policy for $10 million with a $500,000 deductible for a $200,000 annual premium.
Insurers continue to evolve and underwrite more complex policies. Many carriers have loss-control services that can be added onto a policy to give risk management advice, set up tabletop incident response exercises, and find other ways to help clients gauge and prepare for risks, said Jon Neiditz, partner in the Atlanta practice of law firm Kilpatrick Townsend.
“The most important thing for any entity is to understand the likely risk that it is scared about, and make sure that they are covered,” he said. “What are the biggest risks? Is it breach of unencrypted information, or is it not a confidentiality issue, but an integrity or availability issue?”
While offsetting the cost of a data breach is the most common coverage for cyberinsurance, policies may cover physical cyber-risks as well, such as the danger of attacks on utilities and medical facilities, according to John Farley, vice president of cyber-risk for insurance broker HUB International.
Property damage and injury from cyberattacks are covered by less than a handful of insurers, but more will venture into that area as the risks are better understood, he said. Yet it will take a while, because insurers have little data on regular breaches, nevermind more complex threats like cyberphysical attacks.
“The actuarial data is just not there yet,” Farley said.
Finally, security and risk experts underscore that having cyberinsurance does not mean that companies and government agencies can neglect their information security program. Cyberinsurance needs to be part of a comprehensive information security program, not a way to absolve the IT department of responsibility.
As part of the insurance process, insurers will hammer the lesson home.
“Sometimes, organizations think that insurance can take the place of what you are doing, but that is not the case at all,” said Montana’s Pizzini. “You have to have a lot of things in place just to get the insurance. Just like to have insurance on your vehicle, you have to have a good driving record. You need to have good security processes in place to get cyberinsurance.”
In the end, cyberinsurance is about offsetting risk, but also about preparing for a breach. For government agencies, the ability to tap into a knowledgeable partner in a time of crisis is invaluable, said Pizzini.
“I do not have the resources to go out and get contracts in place with a forensics service, a call center and credit reporting, and maintain all those contracts,” she said. “They have all those contracts in place for you to utilize. I would say that is the greatest advantage.”