Any organization that feels that it is immune to the actions of malicious parties such as hackers is living in a fool’s paradise. The last decade has seen attacks driven by ideology, greed and in some cases simple desire for revenge where a party thinks that they have been wronged by the organization. These attacks are not limited to the private sector. More and more often, public sector entities are finding themselves in the crosshairs of hackers. For the private sector, stronger cyber security defenses and a more proactive approach is having some effect on slowing the attacks – but it’s becoming more challenging to keep up with the ever-evolving threat. The private sector is increasingly turning to cyber insurance to at least mitigate some of the effects of hacking, however governments across the globe seem to have been slow to take advantage of the innovations in insurance offerings. Given the severity of the cyber threats, is it time for governments and their agencies to leverage cyber insurance offerings?
Escalating public sector cyber threat levels
It’s not like public sector agencies and organizations have not had fair warning about the severity of malware and hacking attacks. For at least the last ten years, governments around the world (and especially the U.S. government) have been under siege by players who now have the skills and the motivation to cause untold harm to public sector companies. Security breaches leading to data loss are becoming the norm rather than the exception and cyber risk management is now of the utmost importance.
The sheer scale and sophistication of the attacks have resulted in not only business interruptions for private sector companies but has also disrupted public services. The recent WannaCry ransomware attack not only affected more than 300,000 computers in over 150 countries but also effectively crippled Britain’s National Health Service. Staff were forced to switch to using pen and paper and switch to their own mobiles after the attack affected key systems, including telephones.
While WannaCry was possibly one of the most devastating cyber attack in history, however even though it grabbed headlines due to the widespread damage that was caused, it was merely the latest in a long string of attacks that affected both private and public sector organizations.
Back in June 2015, possibly one of the most damaging cyber attacks to target the public sector in the United States came to light. The attack targeted the Office of Personnel Management (OPM), which manages the U.S. government’s employment records, both for employees and contractors, as well as managing personal information for a number of civilian federal agencies. When the report on the hack came to light, it dealt a devastating blow to the reputation of the OPM and severely affected levels of confidence in the ability of the U.S. government and its agencies to protect sensitive information. It appeared that there had been two separate attacks and that data relating to the records of around 2.5 million people had been compromised. OPM also stores the data that is gathered on applicants for some of the government’s most secretive jobs. That data can include everything from lie detector results to notes about whether an applicant engages in risky sexual behavior.
Can cyber insurance help the public sector?
There seems to be no doubt that cyber insurance would go some way to mitigating the effect of hacking and malware attacks on public sector institutions. The insurance in and off itself will not stop the attacks but may provide access to funds that could be used to shore up defenses – and in the case of ransomware attacks perhaps also provide the funds to pay off the hackers. The private sector has embraced cyber insurance with cyber extortion coverage and seems more than willing to pay off attackers. Although this seems like a remarkably bad idea it may be the only way that organizations will be able to regain access to their files. Rewarding bad behavior is not the solution – but as the old saying as it ‘needs must and the Devil drives’. Paying off those who launch ransomware attacks is simply the lesser of two evils.
Public sector attitudes towards cyber insurance evolving?
Public sector organizations in the United States may have been reluctant to purchase cyber insurance coverage in the past, but now the realization seems to be sinking in that it is going to be almost impossible to stop every one of these attacks.
Of course, this type of insurance also means that the public sector can pay off the almost inevitable lawsuits that follow attacks by malicious entities.
The problem is that purchasing cyber insurance for public sector use is an expensive option – and the institutional mindset change away from simply protecting an organization from hacking and malware attacks requires an admission that these attacks are going to cause harm – and slowly but surely state officials in the U.S. are coming to this realization.
“It’s expensive. It’s a big budget item for us. But it’s absolutely worth it,” said Michael Hussey, Utah’s chief information officer. “You’re seeing breaches now that cost companies and states millions and millions of dollars.” Utah and over a dozen states have learned from past errors. In the case of Utah, it was a security breach in 2012 that led to 780,000 residents having their personal information stolen from the Utah Department of Health. When judging whether the U.S. public sector is willing to embrace cyber insurance, it is telling that Utah only purchased the insurance in 2015 – a full three years after the hacking incident.
So the question must be asked – is the public sector reluctant to purchase this type of insurance or is it simply that the time that it takes to obtain budgetary approval means that these institutions may be perceived as not taking the new insurance instruments seriously?
It’s common knowledge that any type of insurance is what is known as a grudge purchase. The expenditure provides no tangible return on investment – until something goes wrong – like a determined cyber attack. Then the cyber insurance company’s coverage of costs such as investigating and restoring data, notifying those whose information may have been compromised, and providing legal and public relations services and credit monitoring is invaluable. For Utah, the cost is insignificant in the grand scheme of things – a mere $230,000 for $10 million in coverage against the effects of a cyber attack – and this policy covers every agency in the Utah Executive Branch.
Cyber insurance provision trending upward
In 2016, insurers wrote $1.35 billion in premiums, a 35 percent jump from the previous year, according to Fitch Ratings.
U.S. State CIOs have been playing their part in positioning the public sector as one of the main drivers behind the increased activity. In 2016, 38 percent of those CIOs reported having some type of cyber insurance, compared to just 20 percent in 2015.
However, insurance industry experts point out that selling cyber insurance to states can be challenging.
“Some states and local governments don’t even know where their data is or what they’ve got,” said Dan Lohrmann, Chief Security Officer for Security Mentor, a national security training firm that works with states.
In Georgia, Chief Technology Officer Steve Nichols said he was not convinced about the need for cyber insurance policies, at least at first, but when he saw how many mega companies had breaches and the financial impact of those breaches, he quickly changed his mind.
Three years after Georgia purchased coverage, hackers gained access to a server at the Department of Public Health and Human Services. Data including clients’ names and Social Security numbers was pilfered. The state mailed letters about the incident to more than a million people who could have been affected.
The insurance coverage helped to pay for the mailing program, the setup of a call center, and provided forensic investigation, legal and communications assistance as well as credit monitoring.
“We used all of the services in our insurance policy,” said Nichols. “It would have cost us a ton more than the premium we pay.”
Cyber insurance helpful but not replacement
Hackers, both state players and those operating for monetary gain, are a feature of the information technology and data management landscape. They are not going to disappear anytime soon – if ever. The tools that they are using are becoming ever more complex. And IT experts cautioned that having cyber insurance shouldn’t make the public sector complacent. Insurance of this type is not a substitute for a comprehensive security program. While the coverage can be a big help after the fact states need to invest in security, keep their technology as up to date as possible, and be prepared for hackers and cybercriminals.