Cyber Liability Insurance at the State Government level

I read an interesting article recently on Cyber Insurance within the public sector titled "Are Governments Ready to be Buyers of Cybersecurity Insurance". There were two main points that stood out to me and a surprise as well.

We know that the actual penetration of Cyber Insurance in the privacy sector is somewhere around the 20% mark and that it is lower in the government sector. I was surprised however that the only known state to be purchasing coverage was Montana, and that it's only a $2 million limit. This is very surprising when you look at the risks state governments carry. Over the past year two of the large breaches exposed millions of records one being the Utah Department of Health breach of nearly 800,000 records and the South Carolina Department of Revenue that breached over 3 million taxpayers' records. This breach and the costs of it have been reported on extensively and are near $20 million, still very few government agencies are purchasing the coverage.

One of the key points of the article that stood out to me was the complexity of the underwriting: "there is not real clarity from governments — a lack of putting together what their security picture is when it's time to sit down and write a policy," Freeman said. Therefore, it's difficult for underwriters to assess risk. Government risk officers and insurance commissioners, meanwhile, counter that they need more information and education about cyberinsurance products, as well as true dialog with the industry before they buy. Some have likened the situation to two poker players who don't know each other's cards and therefore aren't willing to bet."

Why is this like a poker match? That just doesn't make sense to me. I can appreciate the fact that a larger government agency or even a large corporation that has grown through many acquisitions will have a complex technology systems and structure, but so complex that they cannot find suitable insurance? Why couldn't they complete a privacy and security risk assessment which is recommended by one of the various regulations even government entities are covered by and it at minimum it would be a best practice to do so. If done properly it would inventory these systems and the data within them. It would highlight the areas of increased risk of a data breach. This would be a great source of information for both the potential insured, and the insurer to provide a competitive policy.

I kept reading however and came to another interesting point in the article. It seems that Grace Crickette, Chief Risk Officer for the University of California system has a good start on a solution for this complex issue. She has worked with insurance brokers in the US and London to create a new type of policy called "reverse underwriting."

This cutting-edge approach, as its name implies, flips underwriting upside down.

Consider how the car insurance business operates today: Agents write policies that cover cars individually, based on make and model, and the driver's age and driving history. This process is fairly straightforward, done in a manner that the underwriter only has to check off a series of boxes. But doing that same process for risk assessment of IT in big universities and governments is simply unrealistic, Crickette said, because there are so many systems within one enterprise.

Reverse underwriting changes the game by agreeing to a set of controls ahead of time. In car insurance, these controls theoretically could be "no texting while driving" or "wearing a seatbelt." For cybersecurity, a control could be the usage of encryption or password protection. If all of the agreed-upon controls are followed during a security incident, the claim is paid. But if a forensics team finds that any of the controls aren't present, the claim is denied.

The University of California agreed to 18 of these controls in its cybersecurity insurance policy. "And it's covered in a much more generous way than the typical policy," Crickette said. "Not only are they going to pay for fines, which is unusual, they're going to pay for litigation costs and breach response costs — it's very holistic." Coverage for data housed in third-party systems also was thrown in by the broker. So far this type of coverage has proved to be effective for the university, Crickette said, and she's optimistic reverse underwriting could work well for cities, counties and states.

To me this seems like an excellent approach since it takes what the government wants, compliance from all that manage sensitive data to protect the individuals, and promotes the movement toward more secure environment. The regulations imply that a risk assessment should be completed frequently and the gaps discovered closed as soon as practicable.

If you look at other forms of insurance it seems what the regulators want can match very closely with what the insurance carrier will require. In those cases the insurance can be used more as a carrot to lead organizations in the right direction instead of a cushion if an incident does occur.