Cyberinsurance: Do You Need It?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govtech.com/security/Cyberinsurance-Do-You-Need-It.html

When it comes to breaches in electronic data, and the compromise of
citizens' private information, South Carolina has set the standard. In fall
2012, the state's Department of Revenue announced that some 3.6 million
Social Security numbers and 387,000 credit and debit card numbers had been
exposed in a cyberattack.

It proved a pricey event. The state forked over $12 million for credit
monitoring, $5.6 million for stronger encryption and $1.3 million to notify
taxpayers. In all, the South Carolina Budget and Control Board approved a
$20.1 million loan to cover costs associated with the breach.

Maybe there's a better way. Given the spate of cyberattacks in the private
and public sectors, some municipalities have sought to inoculate themselves
against such catastrophic loss through a vehicle known as cyberinsurance.
Just as it sounds, cyberinsurance indemnifies a state, county or city
against a range of losses caused by compromised technology.

Mesa, Ariz., Manager of Technology and Innovation Alex Deshuk believes in
the value of such coverage. Since late 2013 the city has carried insurance
for up to $20 million in cyberdamage, paying a few tens of thousands of
dollars for the policy.

With 4,000 employees and about as many computers in use, the prospect of a
breach of data or privacy can't be overlooked. "It is part of our general
risk assessment to look at all our risks through all of our assets, and
cyberassets are important," Deshuk said. "They have value just like any
tangible asset, and there is always some risk to that."

While the nature of that risk may vary widely, there are some common
elements among today's cyberinsurance policies. In most cases, such
insurance covers:

Crisis management, which may include the expense of investigating an
incident and remediating networks.

Notification, which would cover the cost of notifying all individuals
potentially impacted by the loss of data.

Municipal loss such as theft of city or county funds, or fines and
penalties assessed.

Third-party coverage to pay for issues like defacement of a website or loss
of intellectual property due to an attack on the government's systems. This
might include denial of service to a third party's systems or costs related
to theft from a third party.

To gauge the potential loss for a single incident, consider a 2013
NetDiligence study. Looking only at the legal costs associated with 29
separate incidents, researchers saw defense expenses run as high as $10
million and settlement costs as high as $20 million. (Mean costs were
$575,000 and $258,000, respectively.)

It takes a deft hand to estimate the amount of coverage one might actually
need. How likely is a breach? How often? How widespread? What might be
lost? Given the many variables, some municipalities will no doubt be
challenged to determine the right amount of coverage.

"We took it from the worst-case scenario," Deshuk said. His team worked
with the city's risk assessors to examine assets, possible threats and
deployed defenses. In the end, they opted to insure against 10 percent of
their estimated greatest possible loss. Certainly this leaves a big window
for potential catastrophe, "but we felt that the likelihood of that kind of
event is relatively low."

Some say this exercise in risk assessment may in itself be one of the great
benefits of shopping for cyberinsurance.

As an in-depth asset exploration and process control, "the application
process itself acts as a risk management tool," said Matt Prevost,
Philadelphia Insurance Companies' product manager for cyberinsurance. As
with most such policies, this insurer's cybercoverage includes first- and
third-party coverage, loss of digital assets, business interruption,
cyberextortion and even the impact of cyberterrorism.

To fully indemnify cyber-risks, civic leaders must consider more than just
their digital assets. "For example, who you will be dealing with when
breach time comes is a big question," Prevost said. "You need to know the
right steps to take immediately. You want to have a response template built
in as part of that insurance coverage."

To make that happen, all relevant players must come together to discuss
possible scenarios. As a result, IT may find itself occupying a new seat at
the table. "Planning for cyberinsurance brings the systems administrator
and the CTO into the risk management conversation, which typically hasn't
happened before through the insurance buying process. This is a big point
in time where the IT team can join that risk management equation," Prevost
said.

That coming-together effect is more than just a bonus. It's fundamental to
government's efforts to secure what is still a relatively new form of
coverage.

"We see applications that have been filled out by someone who is clearly
not a tech expert, and that's where that squeamishness comes into play,
just because they may not understand what they are reading," said Karl
Pedersen, senior vice president at insurance brokerage Willis. "When we
include somebody from the tech side of the house in our conversation, it
tends to be much more productive."

Looking out over the landscape of cyberinsurance, Pedersen tells his
government customers that not all policies are created equal. What are the
key points of comparison?

Unencrypted media exclusion. Some insurers will decline to cover losses
that come as a result of unencrypted media. Take for instance the
all-too-common scenario of an employee who takes home a laptop or flash
drive. As custodian of that data, government officials will want to
indemnify their potential loss, whether or not the data is encrypted.

Timing is crucial. Many policies will pay only on losses that are reported
during the period of coverage. In reality, you may not hear about a loss
for weeks or even months after the fact. It takes time for these things to
come to light. Look for a policy that has a retroactive date, with coverage
beginning at least two years prior to the policy's effective date and
extending out beyond the life of the policy as well.

Rogue employees. Suppose someone on the IT team walks off with the
encryption keys, effectively compromising the whole network. Not every
policy will recognize this as a cyberbreach. It is, and it merits coverage.

Paper -- really? Data doesn't just live in the box on your desk or on a
server. It also lives in a cardboard box in the basement. Paper records are
data too, and they should be included in any policy that indemnifies
against the loss of data. It may seem counterintuitive -- a cyberpolicy that
covers reams of 8.5 x 11 information -- but a good policy will recognize it
as all being on the same continuum. "People assume we are only talking
about electronic data, but really this is about privacy, regardless of the
format," Pedersen said.

For many at the state and local level, the quest for cyberinsurance has not
yet come down to comparing the nuances of different policies: They're still
at the starting gate. Despite the rash of high-profile digital attacks on
national retailers, the reality of a cyberthreat has not yet hit home among
all municipal leaders.

In Arizona, state IT leaders have successfully made the case for coverage,
with insurance in place to protect against loss in a central state data
center. Winning buy-in from other government leaders has taken some
finesse, said Deputy State CIO Phil Manfredi.

"It's about outreach and training and education -- not just the employees
but the legislature as well," Manfredi said. "Security is extremely
complicated, there are layers upon layers, so you need to have the kind of
relationship with the legislature where you can communicate the importance
in these areas."

Often this means IT must discipline itself to sidestep the gory technical
details and focus on the big picture. "The challenge is that everybody is
on different levels of experience. So I start with the threat landscape:
Who is trying to attack us, why are they trying to attack us and how
often?" said Arizona Chief Information Security Officer Mike Lettman. "That
kind of conversation is always an eye opener, when they begin to see how
persistent those people are in trying to get our data."

Some IT leaders, on the other hand, have yet to convince themselves of the
merits of coverage. In Fort Worth, Texas, for instance, CIO Peter Anderson
has been leading an exploration of the topic since mid-2013.

In principle, Anderson would like enough coverage to restore his data and
systems, offset lost time and productivity, indemnify against a stolen
laptop, among other things. He also wants to know he'd be covered against
more than just hackers. "We know there have been instances across the
country where folks have had damage to their systems caused by fire or
flood. Even if you back up tape somewhere offsite, to recover those can be
fairly expensive," he said.

So far he's priced such coverage at $2,400 to $7,500 a year. "To me, that
range seems reasonable, given the potential risk and all the things that
could happen, given the magnitude of what it could look like," he said.
Still, he finds it hard to be confident in any price tag. Health-care
insurance, auto coverage -- these are known quantities, based on untold
reams of data. "But for a city, there is relatively little historical data
that you can look at from other cities."

Analysts say this lack of data is a crucial element in the cautious
development of cyberinsurance across all sectors, including government.
"Insurance pricing is not feasible without standards against which to
measure conduct, as well as liability that arises from failure to meet
those standards," the Heritage Foundation reports. "In the cyberdomain,
neither is currently available. There are no generally accepted
cybersecurity standards, and there is no generally applicable liability
system in place to account for failures to meet those standards."

Despite such uncertainties, Anderson is pushing for a yes from the City
Council. Considering the manifold risks in today's cyberenvironment, "from
my perspective, we should do it," he said.

But wait. Perilous as the digital landscape may be, some municipal IT
leaders are holding back. There may be risks, they say, but to pay for
insurance is overkill.

Hillsborough County, Fla., Tax Collector's Office, Director of Information
Services Kirk Sexton is happy to enumerate all the reasons why his office
doesn't need cybercoverage.

His office encrypts credit card data at the point of scan.

There's a single data center with limited access.

Staff turnover is low, and everyone gets mandatory cybertraining.

The county collects tax on 600,000 parcels, moving $2 billion a year
through all its various transactions, but it's a limited pool of
individuals, far smaller than the tens of millions of Target customers --
and the county knows where most of them live, should notification become
necessary. "So when we look at our maximum exposure, we say that even if
they got every single credit card, which is highly unlikely, the loss is
going to be substantially less than in a case like Target," Sexton said.

His verdict: "Unless there is a class-action suit brought against us, we
would not be that concerned about it."

So why pay the premiums?

For many, cybercoverage may turn on the question of money. Pedersen said a
state will typically pay $15,000 to $20,000 for every $1 million in
coverage. A typical state cyberpolicy may run $20 million to $30 million.
You may want it, may even think you need it, but ultimately the arrival of
cyberinsurance on the government landscape will likely come down to the
same old question: Can you afford it?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!