The University of California (UC) has redefined the rules of cyber liability insurance, using an approach that the university’s Chief Risk Officer Grace Crickette calls “reverse underwriting.” Collaborating with the university’s chief information officers, insurance brokers Price Forbes & Alliant, and a London underwriter, UC developed a cyber liability insurance program that reduces risk and drives risk management best practices, Crickette said.
Several years ago, the University of California Office of Risk Services was increasingly becoming aware of cyber risks, encompassing the exposures presented by network security, privacy and social networking. While the UC self-insures and takes high retentions on all of its risks from general liability to professional liability, it lacked cyber insurance. Specifically, UC was seeking a product that catered to its network security, privacy, media and technology liabilities, which concurrently provided a data breach notification and forensics service framework. And not having insurance to protect against emerging risks left the University vulnerable, Crickette said.
Additionally, the UC had experienced cyber losses, from hazard losses as well as cyber breach incidents.
“Due to the nature and complexity of operations and the academic culture of open access, educational institutions, and in particular, large research-oriented universities, face unique exposures related to the Internet and information security and privacy,” according to a 2008 white paper on “Cyber Liability and Higher Education” by Aon Corp.
In 2008, educational institutions accounted for 33 percent of all reported data breaches. From Jan. 1, 2007 until Nov. 19, 2008, approximately 158 such institutions experienced data breaches involving 3.7 million records. The Pone-mon Institute found the average cost of a data breach was $197 per record.
Such statistics put reducing cyber risks on UC Regents’ radar, Crickette said. The problem she found, however, was that no insurer wanted to write UC’s cyber liability coverage because she couldn’t complete the insurance applications – or the answers made the university seem like a high risk.
For instance, some asked:
- Within the past three years, have you had a failure or breach of computer security systems that caused a loss in excess of $25,000?
- Have you had any losses due to malicious code or viruses because of unauthorized access to your computer system?
- Do you collect credit card data?
The answer to all those questions were yes, Crickette said, which made insurers perceive UC to be uninsurable. A large problem was the scope of the university and its decentralized information technology (IT) systems.
UC has 10 campuses, five medical centers, and other areas of operation such as bookstores and dining facilities. It has approximately 170,000 employees and 250,000 students. The university is heavily involved with research, and manages patient care and public services, such as operating 56 Agriculture and Natural Resource stations for the state of California.
“While core systems like payroll and accounting systems are centralized, not all IT systems are,” Crickette said, “because of how funding comes to a university.”
Often, a university receives much of its funding through research grants, from governmental agencies or private industry, she explained. Typically that money goes to a specific professor, also known as the “primary investigator” (PI), and monies do not go to the university’s general fund.
“When a corporation has revenue that comes in, it goes into a general accounting fund, and senior leadership along with the board will make strategic decisions about how that money will be allocated. We don’t have that luxury at the university,” Crickette said. Instead, a significant amount of funding is “tagged” for a special purpose.
To complete and support the research, a PI may need a particular computer system or standalone server. The tendency is for each PI to have their own systems, and many also hire their own IT staff. Because CIOs cannot track those computer systems and servers, nor provide standardized security measures for the data, that made it difficult to have the underwriting done, Crickette said.
“There are more than 400 departments at U.C. Berkeley, so multiply that by 10 campuses plus the medical centers. And if you can imagine there’s a high percentage of those departments with their own IT systems, [you can see how it becomes] very, very difficult to get an inventory of the systems. And if you do get the inventory of the systems, the due diligence that has to be done related to cyber risk in regard to security, even just protection of the equipment from hazard risk, becomes very, very difficult,” Crickette said.
In trying to develop a new cyber product, Crickette began by pitching the idea of what she called “reverse underwriting” first domestically, then in London. She wanted an insurance program to cover losses only if best practices had been followed.
“If we could identify the controls, privacy, network security and social engineering best practices that we wanted people (the PIs) to follow, and get an insurance company to collaborate with us to agree on those controls and underwrite to those controls, we would have coverage to pay claims,” she said. “However, we also wanted to demonstrate to carriers that we already had implemented many of the controls that a strong security posture would have required.”
Crickette spent two years pitching her idea to insurers. Given the loss experience of other universities, it was difficult for carriers to embrace the flexible approach that reverse underwriting entailed. Yet eventually her persistence paid off. With the help of her London insurance broker Price Forbes & Alliant, she found a Lloyd’s syndicate to reverse underwrite the coverage. The underwriter, Rick Welsh, now with ANV London, understood that Crickette wanted insurance to enhance risk management throughout UC, rather than for all of the risk to be transferred to the carrier. As a result, Aspen provides coverage only as long the claims forensics can prove that UC met the pre-agreed-upon risk management standards.
The policy has 17 standards, which were developed by UC’s CIOs, such as:
- Maintain antivirus and malware prevention solutions, including for student/dormitory settings on any computer that is part of your computer system and update the protection at regular intervals but no less than at least once every 30 days.
- Take reasonable security precautions when processing, storing or transmitting credit card payment data or personally identifiable information.
- Ensure laptops are encrypted, and any employee laptop with sensitive nonpublic data has whole disc encryption in place.
- Maintain an incident reporting and response program that enables prompt escalation and management response for events reported by students, faculty and staff.
The standards are “carrots” to encourage more awareness of cyber risks and to motivate people to maintain better security controls. “The CIOs, as a whole, are very excited about the program because it gives them a tool to go out and have conversations with the professors, the PIs, and talk about what controls they need to have in place on their systems, or persuade them that perhaps their systems would be better suited in the hands of the CIOs,” Crickette said.
Previously, if a department had a cyber breach, it more than likely would have been an unbudgeted and non-covered incident, she said. The PIs were forced to incur the cost of responding to the breach from their own department budget, or had to ask their chancellor if general funds were available.
As an unexpected benefit, UC is reducing energy costs as more IT systems are being moved to centralized locations, Crickette said. The collaborative relationship with the carrier also has helped achieve the goal of having a unified, comprehensive risk management framework underpinned with a secure risk transfer insurance program.
The program has been in place for a year and is looking at renewal. The University also hopes to get other carriers, or syndicates, interested in a similar cyber liability program. In addition to helping other higher educational organizations, Crickette hopes more competition will allow her to purchase larger limits of coverage. “A lot of people – both in higher education and outside of it – are interested in this policy,” she said.
It provides coverage for: breach notice response services; online media liability; privacy and confidentiality breach liability; and security breach liability whether it’s legal costs, forensics, third-party computer forensic professionals, and more.
Ultimately the program is doing what Crickette aimed to accomplish: cover claims when needed and reduce risk. “The [cyber] insurance is just part of focusing everyone’s attention on this area, and the way that it’s devised is to change behavior and improve the risk – not just pay for problems that arise,” she said.