College officials wary of ‘cyber insurance' for private data

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.themonitor.com/news/officials-41652-insurance-college.html

Officials at both of Hidalgo County’s public institutions of higher
learning said they would rather rely on preventive measures than buy
costly “cyber insurance” to protect against threats to their data
security.

Representatives from the University of Texas-Pan American and South
Texas College said they were confident in the rigor of their
information security systems.

They see little value in cyber liability policies, which other higher
education institutions across the nation have purchased to offset
large expenses following a data breach.

“Rather than spending money at the back end, use your resources to
prevent (risk),” said Bob Lim, UTPA vice president of information
technology. “There’s better use in working to fight intrusion than
being scared of it.”

UTPA’s network receives about 4 million attacks a year, Lim said. But
adding new layers to security would be better than buying what might
be an unused insurance policy.

Members of STC’s board of trustees also said they trusted their
security network on July 26, when they voted to gather more
information before making a decision on a $50,000 cyber liability
policy.

Steven Bourdon, STC chief information security officer, said
conversations with other college IT departments confirmed his belief
that cyber insurance was better suited for e-commerce organizations.

“The number one thing for us is reputation,” he said. “If there is a
breach, how would you monetize the effect on reputation?”

Like Lim, Bourdon said his department constantly evolves to change
encryption technology, firewalls and antivirus protection as online
threats become more complex.

Both also said constant vulnerability assessments proved the integrity
of their security systems, but should things go wrong, both colleges
had plans in place to inform affected individuals of a breach.

“At the end of the day, prevention is just the best bet,” Bourdon said.

Yet making that kind of risk assessment is not a good plan, said David
Navetta, founding partner of Information Law Group, a firm involved
with privacy, security and technology law.

[..]
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php