Printed from BusinessInsurance.com

More states consider buying cyber insurance coverage

Posted On: May. 19, 2013 12:00 AM CST

More states consider buying cyber insurance coverage

More states are considering purchasing cyber insurance, although it remains a topic of debate.

Oregon is among the states considering buying the coverage. Theresa Masse, Oregon's chief information security officer, said most states are self-insured, “and there's kind of a limited pool of money.”

However, insurance is appearing “on more folks' radar screen. When we see the costs that can be associated with a major breach as we saw in South Carolina, it raised a lot of awareness, particularly among state and local governments, that it can be extraordinarily expensive if you incurred a major breach. There are a lot of costs, and the government hasn't got a lot of money,” she said.

The South Carolina Department of Revenue said in October that about 3.6 million Social Security numbers and 387,000 credit and debit card numbers were exposed in a cyber attack, and that some companies' business identification numbers also had been stored in the database that was breached.

Ms. Masse said insurance's “time has come, and I think it's important for state and local governments to start having the conversation around "Should we be doing something?' even if you don't have a full-blown policy” but do have coverage for certain aspects, such as credit monitoring or notification. “Even if you can't cover everything, at least look at some of the things that might have a higher ticket value.”

Ms. Masse said she is holding discussions with her broker “and trying to understand the return on investment,” because of the scarcity of funds. “We haven't made any final decisions, but it's certainly on the radar screen.''

The risk manager for one state, who asked not to be identified, said he has obtained a commercial insurance policy offering $2 million in limits for coverage that includes forensic investigations to determine the cause of breaches, notification costs, credit monitoring for a year and business interruption expenses.

However, Michigan Chief Security Officer Daniel J. Lohrmann said Michigan is not considering purchasing insurance, although it may reconsider doing so in the future. Right now, “we're working on a number of initiatives to strengthen” cyber security, he said. “We tend to be self-insured in Michigan,” he said.

%%BREAK%%

“Most states are in a position where, if they were to buy insurance” and there was a breach, the question that would arise is, “You spent a million on an insurance policy. Why didn't you spend a million on fixing the vulnerability or mitigating the risk?” Mr. Lohrmann said. “Any precious funds they have, they're trying to spend on actually trying to mitigate the risk.

“It may very well be (states) get to the point where they buy cyber insurance,” he said. “I think right now, they are really playing catch up. Frankly, they're behind where the private sector is.”