Concerned about hackers, states turn to cyber insurance
As the threat from聽hackers聽and聽cybercriminals intensifies, a growing number of聽states聽are buying聽cyber聽insurance聽to protect themselves 鈥 and taxpayers.
鈥淚t鈥檚 expensive. It鈥檚 a big budget item for us. But it鈥檚 absolutely worth it,鈥 said Michael Hussey, Utah鈥檚 chief information officer. 鈥淵ou鈥檙e seeing breaches now that cost companies and聽states聽millions and millions of dollars.鈥
More than a dozen聽states聽now have聽cyber聽insurance聽policies, which cover losses and expenses if a computer network is hacked. Insurers typically pick up the cost of investigating and restoring data, notifying those whose information may have been compromised, and providing legal and public relations services and credit monitoring.
Mr. Hussey said Utah first bought a policy in 2015, three years after a data breach of a Department of Health server exposed 780,000 residents鈥 personal information to聽hackers. The state wound up spending millions of dollars to deal with the aftermath, including paying for credit monitoring and legal fees and conducting a security assessment of all state servers.
Utah now pays $230,000 a year for $10 million in聽cyber聽coverage and has a $1 million deductible. The policy covers every agency in the executive branch.
So far, the state hasn鈥檛 had any big data breaches that would require filing a claim, but that doesn鈥檛 mean it won鈥檛 happen in the future, Hussey said.
鈥淲e check what we鈥檙e supposed to be checking,鈥 he said. 鈥淏ut with聽cyber, if one little thing is overlooked or you have bad luck and leave something undone, you鈥檇 hate to be left holding the bag to cover that.鈥
A Growing Market
In the wake of massive data breaches like those involving Yahoo last year and Anthem the year before, many businesses have scrambled to buy聽cyber聽insurance. Last year, insurers wrote $1.35 billion in premiums, a 35 percent jump from 2015, according to Fitch Ratings.
States聽have been following in their footsteps. In a survey of state CIOs this year, 38 percent reported having some type of聽cyber聽insurance, compared to 20 percent in 2015.
Even some small cities, such as Cody, Wyoming, have purchased聽cyber聽coverage this year.
Hackers聽and聽cybercriminals in recent years have taken aim at state and local government networks, which contain information such as Social Security, bank account and credit card numbers on millions of people and businesses. And online activists have hijacked government computer systems, defaced websites, and hacked into data or email and released it online.
In 2016, state information technology officers ranked聽cybersecurity as their top priority for the third year in a row.
James Lynch, chief actuary for the聽Insurance聽Information Institute, an industry trade group, said selling聽cyber聽insurance聽to聽states聽is especially challenging.
鈥淲hat聽states聽do is so diffuse and sprawling, and they deal with so many types of people and circumstances that it鈥檚 difficult for an聽insurance聽company to fully get a grasp on what those risks are and underwrite them all,鈥 Mr. Lynch said.
It can be equally challenging for those purchasing聽cyber聽insurance, he added.
鈥淲hen you buy an auto policy, you have a pretty good idea what鈥檚 in it. The terminology is highly standardized. It鈥檚 been vetted through the courts,鈥 Lynch said. 鈥淵ou don鈥檛 have that in聽cyber聽because the product is so new. The actual things being covered also vary greatly from policy to policy.鈥
And government agencies sometimes don鈥檛 understand the risks or what kind of coverage they鈥檒l need,聽cyber聽experts say.
鈥淪ome聽states聽and local governments don鈥檛 even know where their data is or what they鈥檝e got,鈥 said Dan Lohrmann, chief security officer for Security Mentor, a national security training firm that works with聽states. 鈥淪o when you start having to give the insurer a list of how many servers you have and what systems are included, it gets pretty complicated.鈥
Mr. Lohrmann said many state IT security officials initially were wary of聽cyber聽insurance, figuring they鈥檇 rather spend their limited resources on prevention. But many now take a different view, he said, because they realize that having the聽insurance聽will ensure that they are keeping their security programs up to snuff. Insurers won鈥檛 sell聽states聽policies unless they meet certain standards, including regularly training staff, encrypting sensitive data and updating servers.
In Georgia, Chief Technology Officer Steve Nichols said he was skeptical聽about聽cyber聽insurance聽at first, but when he saw how many giant companies had breaches and the financial impact, he changed his mind.
In July, Georgia bought comprehensive聽cyber聽insurance, which covers聽about聽a hundred state agencies, he said.
Mr. Nichols said he thinks Georgia has the largest amount of聽cyber聽coverage of any state 鈥 $100 million. It pays a $1.8 million-a-year premium and has a $250,000 deductible per incident.
The state relied on a broker to guide it through the 鈥渧ery confusing and complicated鈥 process and put together a deal with a consortium of insurers, he said.
鲍蝉颈苍驳听颁测产别谤听滨苍蝉耻谤补苍肠别
Montana was the first state to get聽cyber聽insurance, in 2011, said Lynne Pizzini, chief IT security officer. And it鈥檚 glad it did.
Three years later,聽hackers聽gained access to a server that contained Department of Public Health and Human Services data, including clients鈥 names and Social Security numbers and some health information. The state mailed letters聽about聽the incident to more than a million people who could have been affected.
Ms. Pizzini said the聽insurance聽company helped with the mailings, set up a call center, and provided forensic investigation, legal and communications assistance, and credit monitoring.
鈥淲e used all of the services in our聽insurance聽policy,鈥 she said. 鈥淚t would have cost us a ton more than the premium we pay.鈥
The state has a $2 million policy, which covers all agencies, including the university system, she said. It pays an $88,200 annual premium and has a $100,000 deductible per incident and a 10 percent copayment for credit monitoring.
But Pizzini and IT officials in other聽states聽caution that having聽cyber聽insurance聽shouldn鈥檛 make聽states聽complacent and view it as a substitute for a comprehensive security program. While the coverage can be a big help after the fact, they say,聽states聽need to invest in security, keep their technology updated, and be prepared for聽hackers聽and聽cybercriminals.
鈥淚t鈥檚 like brushing your teeth,鈥 Georgia鈥檚 Nichols said. 鈥淵ou need to do it every day.鈥澛
This story was reported by Reuters.
