Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

More states consider buying cyber insurance coverage

Reprints
More states consider buying cyber insurance coverage

More states are considering purchasing cyber insurance, although it remains a topic of debate.

Oregon is among the states considering buying the coverage. Theresa Masse, Oregon's chief information security officer, said most states are self-insured, “and there's kind of a limited pool of money.”

However, insurance is appearing “on more folks' radar screen. When we see the costs that can be associated with a major breach as we saw in South Carolina, it raised a lot of awareness, particularly among state and local governments, that it can be extraordinarily expensive if you incurred a major breach. There are a lot of costs, and the government hasn't got a lot of money,” she said.

The South Carolina Department of Revenue said in October that about 3.6 million Social Security numbers and 387,000 credit and debit card numbers were exposed in a cyber attack, and that some companies' business identification numbers also had been stored in the database that was breached.

Ms. Masse said insurance's “time has come, and I think it's important for state and local governments to start having the conversation around "Should we be doing something?' even if you don't have a full-blown policy” but do have coverage for certain aspects, such as credit monitoring or notification. “Even if you can't cover everything, at least look at some of the things that might have a higher ticket value.”

Ms. Masse said she is holding discussions with her broker “and trying to understand the return on investment,” because of the scarcity of funds. “We haven't made any final decisions, but it's certainly on the radar screen.''

The risk manager for one state, who asked not to be identified, said he has obtained a commercial insurance policy offering $2 million in limits for coverage that includes forensic investigations to determine the cause of breaches, notification costs, credit monitoring for a year and business interruption expenses.

However, Michigan Chief Security Officer Daniel J. Lohrmann said Michigan is not considering purchasing insurance, although it may reconsider doing so in the future. Right now, “we're working on a number of initiatives to strengthen” cyber security, he said. “We tend to be self-insured in Michigan,” he said.

%%BREAK%%

“Most states are in a position where, if they were to buy insurance” and there was a breach, the question that would arise is, “You spent a million on an insurance policy. Why didn't you spend a million on fixing the vulnerability or mitigating the risk?” Mr. Lohrmann said. “Any precious funds they have, they're trying to spend on actually trying to mitigate the risk.

“It may very well be (states) get to the point where they buy cyber insurance,” he said. “I think right now, they are really playing catch up. Frankly, they're behind where the private sector is.”

Read Next

  • States grapple with cyber security challenges as threats escalate

    States are struggling with many of the same challenges that face their business counterparts in the private sector when it comes to cyber security. The risks associated with cyber security are illustrated by a situation that occurred in South Carolina, which announced in October 2012 that about 3.6 million Social Security numbers and 387,000 credit and debit card numbers were exposed in a cyber attack. State officials also later revealed that some companies' business identification numbers had been stored in the database that was breached.