Having cyberinsurance means not only offsetting the monetary risk, but also better responding to the breach.
While large government agencies can, and often do, self-insure, dealing with the monetary losses surrounding a breach is only part of the value of cyberinsurance. Government networks are so varied, linking citizen data and operational infrastructure networks, that a breach could be very serious and responding to one can be complex.
To offset the risk, governments are increasingly looking at cyberinsurance. The state of Georgia, for example, is currently in the process of purchasing it.
“If you start contemplating a breach of tens of millions of dollars, that’s a big hit for even a state to take,” said Steve Nichols, CTO of the Georgia Technology Authority, which manages information technology for the state.
San Diego has 1.4 million citizens and 24 different networks that connect city bureaus and departments, more than 400 applications, numerous smart devices, a fleet of police cars and point-of-sale systems. The sheer variety of systems means that a breach could cost anywhere from tens of thousands of dollars to, in an absolute worst case, a half billion dollars, said Gary Hayslip, deputy director of the Department of Information Technology and CISO of San Diego.
Having cyberinsurance means not only offsetting the monetary risk, but also better responding to the breach, he said.
“It is one of the things that you hope you never have to use, but in today’s environment and with the technologies that we are moving into — we are moving to the cloud and we have smart city initiatives — you need to have cyberinsurance as the security blanket behind the scene,” he said.
Hayslip and other state and municipal CIOs and CISOs agreed: While the coverage for damages is an important part of cyberinsurance, the most valuable aspect is the expertise that insurance companies and their partners can provide to agencies dealing with a breach.
Buying the Right Policy
Because there are no standard policies, getting cyberinsurance can be a lengthy process for any government agency. Here are some tips:
// Get enough coverage
// Beware of exceptions
// Test all scenarios