Any organization that feels that it is immune to the actions of malicious parties such as hackers is living in a fool’s paradise. The last decade has seen attacks driven by ideology, greed and in some cases simple desire for revenge where a party thinks that they have been wronged by the organization. These attacks are not limited to the private sector. More and more often, public sector entities are finding themselves in the crosshairs of hackers. For the private sector, stronger cyber security defenses and a more proactive approach is having some effect on slowing the attacks – but it’s becoming more challenging to keep up with the ever-evolving threat. The private sector is increasingly turning to cyber insurance to at least mitigate some of the effects of hacking, however governments across the globe seem to have been slow to take advantage of the innovations in insurance offerings. Given the severity of the cyber threats, is it time for governments and their agencies to leverage cyber insurance offerings?
Escalating public sector cyber threat levels
It’s not like public sector agencies and organizations have not had fair warning about the severity of malware and hacking attacks. For at least the last ten years, governments around the world (and especially the U.S. government) have been under siege by players who now have the skills and the motivation to cause untold harm to public sector companies. Security breaches leading to data loss are becoming the norm rather than the exception and cyber risk management is now of the utmost importance.
The sheer scale and sophistication of the attacks have resulted in not only business interruptions for private sector companies but has also disrupted public services. The recent WannaCry ransomware attack not only affected more than 300,000 computers in over 150 countries but also effectively crippled Britain’s National Health Service. Staff were forced to switch to using pen and paper and switch to their own mobiles after the attack affected key systems, including telephones.
While WannaCry was possibly one of the most devastating cyber attack in history, however even though it grabbed headlines due to the widespread damage that was caused, it was merely the latest in a long string of attacks that affected both private and public sector organizations.
Back in June 2015, possibly one of the most damaging cyber attacks to target the public sector in the United States came to light. The attack targeted the Office of Personnel Management (OPM), which manages the U.S. government’s employment records, both for employees and contractors, as well as managing personal information for a number of civilian federal agencies. When the report on the hack came to light, it dealt a devastating blow to the reputation of the OPM and severely affected levels of confidence in the ability of the U.S. government and its agencies to protect sensitive information. It appeared that there had been two separate attacks and that data relating to the records of around 2.5 million people had been compromised. OPM also stores the data that is gathered on applicants for some of the government’s most secretive jobs. That data can include everything from lie detector results to notes about whether an applicant engages in risky sexual behavior.
Can cyber insurance help the public sector?
There seems to be no doubt that cyber insurance would go some way to mitigating the effect of hacking and malware attacks on public sector institutions. The insurance in and off itself will not stop the attacks but may provide access to funds that could be used to shore up defenses – and in the case of ransomware attacks perhaps also provide the funds to pay off the hackers. The private sector has embraced cyber insurance with cyber extortion coverage and seems more than willing to pay off attackers. Although this seems like a remarkably bad idea it may be the only way that organizations will be able to regain access to their files. Rewarding bad behavior is not the solution – but as the old saying as it ‘needs must and the Devil drives’. Paying off those who launch ransomware attacks is simply the lesser of two evils.
Public sector attitudes towards cyber insurance evolving?
Public sector organizations in the United States may have been reluctant to purchase cyber insurance coverage in the past, but now the realization seems to be sinking in that it is going to be almost impossible to stop every one of these attacks.
Of course, this type of insurance also means that the public sector can pay off the almost inevitable lawsuits that follow attacks by malicious entities.
The problem is that purchasing cyber insurance for public sector use is an expensive option – and the institutional mindset change away from simply protecting an organization from hacking and malware attacks requires an admission that these attacks are going to cause harm – and slowly but surely state officials in the U.S. are coming to this realization.
“It’s expensive. It’s a big budget item for us. But it’s absolutely worth it,” said Michael Hussey, Utah’s chief information officer. “You’re seeing breaches now that cost companies and states millions and millions of dollars.” Utah and over a dozen states have learned from past errors. In the case of Utah, it was a security breach in 2012 that led to 780,000 residents having their personal information stolen from the Utah Department of Health. When judging whether the U.S. public sector is willing to embrace cyber insurance, it is telling that Utah only purchased the insurance in 2015 – a full three years after the hacking incident.
So the question must be asked – is the public sector reluctant to purchase this type of insurance or is it simply that the time that it takes to obtain budgetary approval means that these institutions may be perceived as not taking the new insurance instruments seriously?