Originally published on CyberInquirer
Computer hacking is a constantly evolving and growing threat. While recent high-profile network security breaches at companies such as Epsilon and Sony (with crisis management and other costs estimated to range from $1 billion to multiples thereof in the case of Sony) have helped raise awareness about the need to adequately protect personal identifiable information, the problem has existed for decades.
Yet the situation has only recently begun to receive proper attention from the media, government officials, businesses, and certain segments of the insurance industry. Of course, the cost of a security breach may have something to do with that. According to a study from Marsh and the Ponemon Institute, the typical data breach in FY 2010 resulted in companies and their insurers have to pay an average of $7.2 million to deal with and remedy the situation.
One particularly alluring target for hackers has been educational institutions. While schools and universities may not immediately appear to be obvious targets, the statistics confirm that attacks against educational institutions are on the rise.
http://cyberinquirer.com/2011/06/30/cyber-liability-insurance-for-universities-incentivizing-best-practices-as-a-condition-to-coverage-a-k-a-%e2%80%9creverse-underwriting%e2%80%9d/university-website-2/In 2007, educational institutions accounted for 25% of all reported data breaches. This number jumped to 33% in 2008. See Sarah Stephens & Shannan Fort, Cyber Liability & Higher Education, Aon Professional Risk Solutions White Paper (December 2008) (Available at: http://www.google.com/search?q=Cyber+Liability+%26+Higher+Education+Aon+Professional+Risk+Solutions+...&rls=com.microsoft:*&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1) Indeed, some of the most devastating and costly security breaches have occurred at institutions such as UCLA (more than 800,000 records were compromised and approximately 28,600 Social Security numbers were obtained), the University of Miami (2,100,000 medical records were stolen and 47,000 potential victims were notified), and the Chicago Public School system (two different breaches occurred, including one involving 40,000 records as the result of the theft of two accounting laptops).
Perhaps most problematic for institutions of higher learning, insurers are less willing to underwrite cyber and network coverage because of the inherent difficulty in determining risk due to a lack of uniformity in the operation and management of computer systems throughout the university. Large research-based universities often operate on a decentralized network system in that each department maintains and utilizes its own network. Thus, a college of liberal arts may operate on its own network separate and apart from a college of engineering. This problem was best exemplified when Grace Crickette, Chief Risk Officer of the University of California, attempted to obtain tech and cyber liability coverage. Ms. Crickette found that she could not even complete the necessary insurance applications due to the University's largely decentralized computer system (400 departments multiplied by ten campuses, as well as five medical centers, bookstores, etc.) and various other factors unique to a large research-based institution. Moreover, because of the nature of funding for large research institutions, Ms. Crickette could not simply side-step the issue by pushing for all systems to be centralized.
Two years and countless unsuccessful meetings later, Ms. Crickette finally was able to obtain the coverage she sought from a Lloyds syndicate, Aspen, by adopting an outside-of-the box approach that she referred to as "reverse underwriting." The reverse-underwriting approach allows an insurer to cover losses only if best-practices for securing information are implemented and followed. Analogizing such coverage to the more familiar practice of lowering deductibles and premiums for safe drivers in the context of automobile insurance, Ms. Crickette explained that the University would be covered only if forensic computer analysts could prove that the breached computer system met the minimum security standards developed by the University's Chief Information Officers and approved by Aspen. In short, the coverage incentivizes best practices for protecting information.
The terms of the Aspen policy also function to generally raise awareness amongst the University's various departments about the importance of adequately securing information. Ms. Crickette noted that some departments even agreed to centralize their systems when it was feasible to do so. Thus, the University not only obtained the tech and cyber coverages that it sought, it also was able to increase institutional awareness of cyber security risks, thereby reportedly lowering the risk of future breaches.
Notwithstanding the fact that large educational institutions and universities often contain decentralized network systems that make assessing risk difficult for underwriters, the fact remains that tech and cyber coverage may be available through the reverse underwriting method. As such, underwriters should not instinctively turn their backs on the potentially lucrative premiums that large universities may be willing to pay simply because their risks are difficult to gauge. Rather, it is reasonable for underwriters to demand that certain base-line levels of protection be put in place, and condition coverage on the university forensically proving that the data at issue was fully protected at the time the breach occurred. Of course, the level of protection required must be negotiated, and the security systems must be regularly updated as the state of the art evolves. So long as universities are willing to implement protocols and enforce internal compliance with the latest information-protection best-practices, underwriters should be willing to meet universities half-way by conditioning coverage on compliance with the protocols agreed upon by the parties.
Finally, prior CyberInquirer articles have discussed other approaches taken by certain universities to minimize the risks associated with cyber attacks. See "For Some Universities, Cyber Insurance Doesn't Make the Grade". For instance, the University of Texas-Pan American opted to forego obtaining cyber insurance and instead invested its premium dollars into developing and adding new layers of security protection. In our view, however, the most prudent course of conduct would be for all prospective policyholders (whether institutions of higher learning or not) to develop and implement added layers of security, which will enable them to: (1) better protect against network intrusions, and (2) use such added protection as leverage in negotiating lower premiums based upon diminished risk of breach. As the old saying goes, you can pay me now or pay me later.
www.cozen.comThe content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.