Even those meeting more stringent qualifications are finding that affordable insurance cannot provide enough protection against cybersecurity risk.
Adam Frumkin, chief information officer at the Franklin County, Ohio, Data Center and his team answered almost 500 questions in a back-and-forth with a cyber insurance provider last year. In the end, they got coverage – but for half the amount at double the cost.
“Things we had to prove this year, we didn’t have to prove last year. We jumped through an extra 15 to 20 hoops,” Frumkin said. Examples of questions include:
- What log-on types do you use?
- What steps are you taking to mitigate exposure?
- What records do you store and how many?
- How long do you keep data and for what reasons? What amount relates to health, financial or personally identifiable information?
- With respect to efforts to mitigate phishing, do you provide security awareness training to employees at least annually?
Frumkin said he expects that list to grow when he goes through the process again this year, particularly more questions related to remote work.
“I don’t think remote work has played a large role in cybersecurity this past year. I think it’s going to play a large role in this coming year’s cybersecurity questionnaire,” Frumkin said. “I think they’re going to ask what portion of your staff works remote and what type of protections do you have on the machine or what type of protections do you provide for them while they are remote?”
That will cause the cost to rise or denial of coverage, he predicted. “If there are people out there that are still saying, ‘50% of our staff are still working remote or more,’ I think cyber insurance are going to say, ‘We’re not covering you.’”
This year the county has a policy that covers up to $1 million in costs associated with credit monitoring, paying ransom and restoring systems. Last year, it got $2 million in coverage for half the cost.
That’s not an uncommon situation. Sixty-nine percent of local governments are paying higher cyber insurance premiums, according to a survey by the CompTIA Public Technology Institute (PTI). For the Local Government Insurance Trust, a member-owned association that offers pooled insurance to 191 Maryland municipalities, that increase was 300%. At the same time, the number of governments that have cybersecurity insurance grew to 90% in 2021, up from 78% the year before.
When companies began offering cyber insurance in the mid-2000s, it seemed like a good idea to them, said Alan Shark, vice president for public sector and executive director of CompTIA PTI. “But I think now, with so many attacks having occurred, the insurance folks, generally, as an industry, realized, ‘My gosh, despite the best assurances a lot of these entities are being hacked and the payouts are much more expensive than we thought,’” Shark said.
That’s worrisome, especially for smaller jurisdictions, he said, which lack the expertise to fill out the types of lengthy questionnaires Frumkin dealt with – and the expertise to have good cyber hygiene in place, which insurers look for before underwriting coverage.
“You need to understand what your risk profile is, and once you do understand your risk profile and understand where your shortcomings may be, you need to mitigate them,” Frumkin said. “If you don’t go down that road, the next time you try to get cyber insurance, you may not even qualify.”
Another factor that could influence future cyber insurance is Russia’s invasion of Ukraine by testing the “war exclusion” and “hostile act exclusion” language in policies. In the United States, cyber insurers have typically stipulated that insurers cannot defend against acts of war, according to Fitch Wire.
Frumkin predicts that a hybrid approach to cyber insurance will soon emerge – one in which governmental agencies self-insure and also buy insurance to help offset costs and increase coverage.
“You cannot insure for the amount that you need to insure for because the underwriters are not underwriting for that amount, so I think what’s going to happen is you’re going to have partial insurance and partial self-insurance,” he said.
PTI’s Shark said that a chunk of the $1 billion the Infrastructure Investment and Jobs Act tagged for state and local governments could be put toward cybersecurity, helping local governments to shore up their defenses “and therefore enable them to be a better prospect for cyber insurance.”
The by-product of increasing defenses and decreasing vulnerabilities to qualify for good cyber insurance policies is, well, better defenses and fewer vulnerabilities. That’s important, said Heidi Shey, a principal analyst at Forrester, because although cyber insurance offers some peace of mind, “it’s not a get-out-of-jail-free card. It’s just one way to manage risk and that’s through your risk transfer. You could choose to accept the risk, to mitigate it through your controls or to transfer it with insurance, and so it’s a balance to determine how much you’re willing to accept.”
Stephanie Kanowitz is a freelance writer based in northern Virginia.