The ink was barely dry on Brown University's 2009 contract to move student email accounts to the Google cloud before
CISO David Sherry was getting calls from cyber risk insurance brokers asking if the university was considering outsourcing some of its liability. Thanks, but no thanks, was the answer.
Brown students are on a separate network from faculty and staff, Sherry explained. And, he wryly noted, the security provided by the Google Apps for Education service is as good, if not better, than what he could provide to the rotating crop of "new computer hackers" enrolled at the school's Providence, R.I., campus.
"With the students, we felt the liability was rather small," Sherry told a gathering of IT executives at a recent event at the Franklin W. Olin College of Engineering in Needham, Mass.
As the university contemplates whether to move faculty and staff accounts to the cloud, however, the conversation has changed. Federally funded research data is subject to a host of regulatory requirements. There are data retention requirements related to e-discovery and global privacy rules to consider. Getting customized security guarantees from a cloud provider is tough, if not impossible, even from one-eager-to-please marquee customer. Now it's Sherry who's asking questions about cyberinsurance. "We are taking a long look at it," he said. "It's not cheap."
Sherry is not alone. As data breaches proliferate and the potential costs associated with them are quantified -- as high as $202 per customer record, according to Ponemon Institute LLC's latest data breach study -- interest in cyber risk insurance is growing among IT executives.
"In the last few months, we have been getting a lot more inquiries than in the past," said Khalid Kark, a security and risk analyst at Forrester Research Inc. in Cambridge, Mass. Part of the reason for the uptick, he said, is that data breaches are becoming "a lot more impactful" to organizations, and senior executives are asking IT how the company can mitigate the risk. In addition, the insurance industry is aggressively pushing these policies.
"In a lot of cases, the actual insurance broker for the organization comes to them and says, 'Hey, we know there is this new cyberinsurance we can just add to your regular coverage and even give you a slight discount,'" Kark said.
Whether cyber risk insurance makes sense for your organization, however, is an open question, in Kark's view, particularly if your organization has a mature information security program. "My gut feel is that if you've got a certain level of maturity and you're pretty confident about your security controls, it is better to evaluate this insurance in a lot more depth," he said.
Data breach notification laws driving cyber risk insurance
Cyber risk insurance is a relatively new twist on the computer insurance coverage that has been around for decades, said risk consultant Richard Betterley, author of the influential The Betterley Report, an annual survey of specialty insurance products. Buyers of traditional computer insurance worried mostly about the destruction of data from fire or flood, for example, or even a hacker, and insuring for lost income caused by the damage.
My gut feel is that if you've got a certain level of maturity and you're pretty confident about your security controls, it is better to evaluate this insurance in a lot more depth.
Khalid Kark, security and risk analyst, Forrester Research Inc.
Cyber risk insurance, which Betterley began writing about in the early 2000s, addresses the liability arising from the inappropriate use of data, e.g. the theft of personal information to commit fraud. Some policies also cover a company's direct costs associated with the breach, the so-called first-party losses, such as notifying customers, offering credit monitoring or issuing new credit cards.
Until recently, cyber risk policies have not sold well, according to Betterley and other insurance experts, in part because the risk is new. The lack of liability judgments makes it hard for insurance companies to price the coverage -- Betterley said he has seen annual premiums ranging from $5,000 to $150,000 -- or to convince customers of the need for such coverage. But perceptions are changing in the wake of high-profile cases like The TJX Cos. Inc. computer security breach, which will cost the Framingham, Mass.-based retailer $171.5 million, according to the company's annual report filed March 30.
"What makes people want to buy cyberinsurance is recognition of the exposure. Organizations do not buy insurance for something that either is very unlikely to happen to them or for a likely event that will not incur much expense," said Tracey Vispoli, global cyber security manager for Cincinnati-based Chubb Group of Insurance Cos.
"What has really gotten the insurance selling are the data breach notification laws," Betterley said, referring to the 45-plus state security breach notification laws requiring organizations -- and their vendor partners -- to notify customers when personally identifiable information is breached. "When you have a health care system with a million records breached, at $60 a record, you're getting into big money fast," he said. As companies begin demanding proof of cyber risk insurance from their vendors, the market, -- which does an estimated $500 million of premiums per year according to the latest Betterley Report -- will grow quickly.
"We think cyber risk insurance probably is going to be really big, and so do the insurance companies," Betterley said, judging from the stampede of companies offering it. He added that while he expects many companies will be "scared off" by the price, he's of the opinion that "everybody ought to buy it -- who doesn't have data?"
Is cyber risk insurance for you?
Forrester's Kark said he is not for or against cyber risk insurance but cautions that the relative newness of the risk means it is harder to calculate the benefits of the coverage.
"There are going to be companies that don't have a lot of security controls, and you will be penalized and paying for the lowest common denominator across all the companies," he said. "It's still a big pool right now, and unless we can get to a point where we can pretty accurately predict the probability of a certain event happening, you will be overpaying if you have great security."
He also advised that companies look carefully at the particulars of the liability coverage for data breaches. "There usually is a cap," he said. Also, a security breach incurs many indirect costs, from loss of productivity and reputational damage to litigation expenses, which may or may not be included in the contract, so companies could still end up paying a "pretty significant chunk of the loss" that occurs because of a security breach.
"It's not an exact science, so the accuracy of the insurance companies trying to figure out this risk is not going to be great," he said. "Obviously, the customer ends up paying for the industry's need to hedge its bets."
Let us know what you think about the story; email Linda Tucci, Senior News Writer.