As more organizations place greater emphasis on information risk management and as the number of breaches targeting all types of enterprises seems to be rising, I've wondered about the value of cyber insurance. It's an area, I confess, I haven't covered, so I sought academics who might be conducting research in this discipline, hunting for those experts who could provide an assessment independent of the insurance industry. I quickly discovered that cyber insurance research isn't an area that has attracted much attention in academia.
Lisa Zimmaro doesn't conduct research at Temple University, but teaches insurance and risk management as an adjunct professor at the state-supported university situated 1Â½ miles north of downtown Philadelphia. Her day job, though, gives her a lot of insight into cyber insurance; Zimmaro is Temple's director of risk management and insurance, responsible for buying insurance for the university.
Those two events pushed us over the edge. They happened close enough together that it made us say, 'Okay, that's it.'
Zimmaro says she first thought about cyber insurance in 2008 after the university's chief information officer suggested such coverage. Two cyber breaches in May and June 2009 turned her reflection into action. During a seven-week period in late spring 2009, the University of California at Berkeley and Cornell University separately revealed major security breaches, exposing the personally identifiable information of more than 200,000 students and alumni between both institutions. "Those two events pushed us over the edge," Zimmaro says. "They happened close enough together that it made us say, "'Okay, that's it.'"
It didn't take the nation's 27th largest university with an enrollment of 37,000 students long to act: In July 2009, with the help of Temple's insurance broker, the school acquired a cyber policy from insurer Chartis, with coverage up to $10 million a year. In the 2-plus years since the policy took effect, Temple has yet to have had the need to file a claim.
To get the best policy, the school's broker approached 10 different carriers, and though some insurers may have offered a lower premium, price alone shouldn't be used to determine which policy to take. Not all policies offer the same protection, and reliability varies among insurers. Zimmaro thinks Temple's cyber policy is worth the premium. She wouldn't provide an exact amount the university pays in premiums for cyber insurance but furnished a range: $100,000 and $200,000 a year. Premiums could have been higher, but Zimmaro decided on a bigger deductible than the university takes on other types of liability insurance policies.
"I got boatloads and buckets of all types of insurance here at Temple; cyber is not making me cringe or throwing me over the edge, premium wise. It doesn't even come close to general liability or property insurance," Zimmaro says. "But what did push us toward this is that there are exclusions in general liability (GL) policies that made us think that had we had a breach that our general liability carrier would deny coverage, and a lot of GL carriers are doing that now because they don't want to be on the hook for a data breach."
Nearly Every Imaginable Act Covered
Simply, she says, Temple's cyber insurance covers nearly every imaginable act that could have an impact on its IT systems, protecting the school from breaches caused by outsiders as well as those from insiders, whether or not their intent was to intentionally cause the university harm. The insurance covers Temple for consequences of a breach, such as credit-monitoring services for those whose personally identifiable information is exposed, as well as legal costs to defend the school against liabilities resulting from, say, exposure of sensitive data.
Edward DeMarco, director of operational risk and director of regulatory relations and communications at the Risk Management Association, says speaking with a knowledgeable broker is smart, but organizations - his association represents banks - should also seek out lawyers who are savvy and experienced in insurance coverage disputes to review policies. "If you got someone to read the policy, understand exclusion and sit and talk to IT people at a firm, you're really in a position to see if you're adequately covered or not," DeMarco says. "Otherwise, you're potentially taking a reputational hit. You may be subject to fines, depending on what the data is that's breached. Your stock price is going to go wonky, and sometimes you're going to lose confidence in management."
After the vetting process, qualifying for insurance can prove to be a tedious task when compared with applying for other types of liability insurance. Temple had to fill out a detailed, 30-page application, providing information about safeguards the school is taking to defend its data and systems. The CIO was interviewed by the insurer as well. Because Temple never had cyber insurance, thus didn't having a history on claims the insurer might need to pay, more due diligence was required for the initial policy. In the future, Zimmaro believes renewal should be far less arduous, as is the case with other types of liability insurance, because a history on claims - or lack thereof - would exist.
The most important piece of advice Zimmaro offers on seeking cyber insurance is to have a good, trustworthy broker, who not only understands the organization's needs regarding cyber insurance, but can properly vet insurers.
Zimmaro's and DeMarco's insights into cyber insurance make me a bit more educated on the matter, but my hunt for more information about the topic isn't over. If you know of any academic research on cyber insurance, let me know at firstname.lastname@example.org.