Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

U. of Calif. cyber risk cover required 'reverse-underwriting'

Reprints
U. of Calif. cyber risk cover required 'reverse-underwriting'

When insurers balked at the prospect of covering the University of California's cyber risks because of the vast scope of potential liability exposures associated with higher education and health care, Chief Risk Officer Grace Crickette turned the tables on their underwriters and asked them do something they had never done before.

She suggested the underwriters try “reverse-underwriting,” a process similar to reverse-engineering, in which something is taken apart to see how it works in order to duplicate or enhance it.

If the university met all the cyber security protocols set by underwriters, then the policy would respond to any losses that might occur. If not, the university would be left to fend for itself.

The end result was a $5 million cyber liability policy responding to all damages and expenses stemming from a university data breach, including notification costs, forensic investigation expenses, credit monitoring, identity restoration and call center services, said Gary Leonard, the university's property and fleet program manager, who also is in charge of its cyber liability risk transfer program.

“Grace had been talking to our brokers about wanting to purchase this type of insurance for some years, and for a university system of our size it was really difficult,” he said. “Grace would show the applications to some of our campus information officers, and it was just an overwhelming task to try to fill out a traditional insurance application.”

For example, the underwriting applications typically used for cyber risk coverage ask how many computer servers are used to store data, and what types of firewalls are being employed to ensure they are secure, but “in the academic world, many researchers have their own servers, and they do not fall necessarily within the university's guidelines of how the university likes to see information protected,” Mr. Leonard said.

Moreover, a single campus could have more than 1,000 servers containing not only student and employee data, but also patient data if it has a medical center, as well as research data, he said.

“So it was decided to turn the tables a little bit. Instead of underwriting to the actual conditions that we have at the university, why not write to standards that the underwriters would like to see in place?” Mr. Leonard said.

While “it was a new way of thinking for many people,” he said, it eventually piqued the interest of the London market. One of the university's brokers, Alliant Insurance Services Inc. in San Francisco, worked with London broker Price Forbes & Partners Ltd. to develop the university's cyber risks policy, which is underwritten by Lloyd's of London underwriter Aspen Underwriting Inc.

Just having the policy in place is helping to raise the awareness of data security throughout the university and is driving loss prevention efforts, according to Mr. Leonard. Each campus also is required to follow an incident response plan in the event of a data breach. The plan includes protocols for reporting losses designed to improve data collection, he said.

Since the coverage was bound in 2011, a handful of claims have been reported, none of which exceeded the university's $1 million per-occurrence retention, said Mr. Leonard. However, some were denied because the conditions of coverage were not met, he said.

Premiums, which are allocated to the campuses based on an actuarial analysis of exposures, increased slightly in 2012 after the university doubled its limits to $10 million, Mr. Leonard said.

“The underwriter was a little bit more comfortable opening up some more limits, and we thought it would be a good time to take advantage of that,” he said.

After securing cyber risk coverage for its indigenous exposures, Ms. Crickette is exploring what types of cyber risks coverage may be available to respond to cyber risks associated with the university's use of outside contractors and vendors that store data off-site or in “the cloud,” said Mr. Leonard.

Read Next

  • Grace Crickette reduces workers comp claims with prevention

    After an analysis of the University of California's workers compensation claims experience showed that 32,593 of the university's 187,201 faculty and staff had filed repeat claims, Chief Risk Officer Grace Crickette decided it was time to focus on prevention.