Targeted Risk Management Can Help Stem Losses; Municipalities Facing Budget Constraints
The potential exposure of both governmental or commercial entities to network and enterprise security breaches comes down to this: It’s not a question of if, but when, and size doesn’t matter.
That’s pretty much the consensus of the property/casualty insurance industry regarding cyber security risks. But there are methods that any organization can use to help prevent loss of vital information and deal with it should a breach of security occur.
And they do occur. Breaches of both public and private networks during the past year alone — think Sony, the U.S. government, law enforcement sites in Arizona — have been highly publicized in the general media. The stolen data runs the gamut from immigration documents to personally identifiable information to financial statements, and more.
Three Types of Exposure
Insurance professionals who work with public entities and private organizations on information security risk management strategies often divide the exposures into three main groups: the risk to personally identifiable information, which could be used for identity theft; a threat to critical infrastructure; and political activism.
Loss of personal and private information is the biggest security risk today, says Larry Harb, owner and CEO of IT Risk Managers, a wholesale insurance brokerage in Okemos, Mich., that specializes in technology security issues.
“That’s what we’re seeing as the biggest … exposure, the loss of personal and private information ending up in an identity theft situation,” Harb says. Such losses can occur electronically — and the exposure becomes greater as online activity increases — but they can also result from the mishandling of paper records, he adds.
Larry Collins, head of E-solutions for Zurich Services Corp., says for public entities especially the main exposure “has to do with the information they possess from an identity theft point of view, as well as from a privacy point of view.”
Cities, counties and states not only have credit card and bank account information, Collins says, but they also have medical programs with public health records, tax records, public employee benefit and retirement information, names and addresses of public school children, and court and criminal records, the protection of which is often subject to federal statutes.
A Breach in Texas
The cost of mitigating an incident after the fact, such as notifying privacy breach victims, providing credit or identity monitoring services to affected parties, consulting with a public relations firm to control reputational damage, as well defense and settlement expenses can be exorbitant.
For instance, in April 2011, the Texas Comptroller of Public Accounts discovered that unencrypted data from the Teacher Retirement Center of Texas, the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas had been posted on one of the state’s public servers for nearly a year, exposing a possible 3.5 million state employees, and unemployment insurance claimants, to potential identity theft. Class action lawsuits have been filed against the state, including one that seeks a $1,000 penalty for each individual affected, according to the San Diego, Calif.-based non-profit organization, Privacy Rights Clearinghouse.
The Texas comptroller’s office admitted that the data was improperly posted on a public server because the agency’s own internal procedures for handling such information were not followed. It has offered those affected a year of credit monitoring and Internet surveillance at no charge.
The comptroller’s office also said identity restoration services would be offered to those whose personal information is misused as a result of the data posting.
“Employee training is key in these cases,” says Tim Stapleton, product liability product manager for Zurich North America Commercial Insurance. “You can have the best IT staff and the best IT measures in place but really all it’s going to take is one employee to make a mistake and you have a privacy issue on your hands.”
That’s why insurance companies, when they consider insuring governmental or commercial organizations for cyber risks, focus on the proactive risk management techniques and employee training that the entity either has in place or needs to establish.
“We’re really looking at three major elements of their risk management profile around security and privacy issues. And that’s technical, administrative and physical,” Stapleton says. “And for municipalities particularly, what I’m more concerned with and probably would put more weight on in these cases is administrative and physical elements.”
The Resource Problem
Cash-strapped cities and counties may be tempted to reduce information security and privacy budgets because they may not be seen as essential as, say, emergency services, according to Collins. “But they’re enormously important from the point of view of preserving your own municipal IT infrastructure, as well as defending your records, which are very unique, against attacks by hackers and the like.”
A 2010 study by the National Association of State Chief Information Security Officers and Deloitte consultants found that budgets and resources in the public sector lag behind those available to private sector organizations. That gap is widening, according to the 2010 Deloitte-NASCIO Cybersecurity Study.
When assessing their cyber risk, organizations must consider whether they have spent their money wisely, says Michael Murphy, an underwriter for Allied World Assurance. “Have they made the investments in the appropriate individuals with the necessary skill sets to develop adequate network security controls and procedures to protect their information?” he asks.
One of the major differences between public and private organizations is that private companies are usually more agile in their ability to assess risk quickly and allocate funds accordingly.
“Governmental entities are tightly strapped as to where they put this money,” Murphy says. However, taking a “proactive stance on network security and providing the right amount of money to the right individuals in order to be able to protect the information properly,” is advisable, he adds.
Having an incidence response plan in place will allow an organization to “respond in a timely fashion to not only protect the information and protect the incidence of a liability situation but also to protect the government entity from a public relations standpoint. You want to handle it properly so that people know if their information is lost the government knows about it and as quickly as possible can let them know,” Murphy says.
Collins and Stapleton agree that whether a municipality has the money to allocate to proactive risk management practices comes back to budgetary issues. But Collins says many carriers offer proactive risk management and employee training.
“This is what we consider pre-breach risk management as opposed to just post-breach measures that would be taken in the response of notification, credit monitoring and the like,” he says.
Taking the position that all are organizations are vulnerable and entities of any size can be susceptible to data breach incidents, the insurance industry has responded over the past decade or so to the ever-evolving security threats that enterprising criminals and mischief makers devise.
“That’s one of the things about working with cyber, with Internet technology, there’s virtually no exposure out there that we haven’t been able to come up with coverage for,” Harb says.
The coverage can encompass everything from defense and notification costs to third party liability to federally mandated fines. The policies, however, are not standard.
“The concept of if ‘it’s not excluded, it’s covered’ is not true,” IT Risk Managers’ Harb says. “In fact, this is the exact opposite. I tell everybody: if you want coverage for a particular exposure, make sure that policy states that exposure is covered. Because if that policy states that exposure is covered then it’s covered. If it’s not stated then it’s in a gray area and, in most cases, it’s not going to be covered.”
The policies “are the exact opposite of what people in the world of traditional insurance are used to dealing with,” he adds.
That’s why when an organization is seeking insurance for cyber security issues, it’s important to deal with specialists who are familiar both with the exposures and the risk transfer mechanisms available, Harb says.
“I always tell people that insurance is a risk transfer vehicle and that’s all it is,” Harb says. “It doesn’t make the risk go away it just pays for it if there’s a problem. Insurance is only a risk transfer vehicle and so from that standpoint, when I can contractually get somebody else to pay for the exposure, I’d like to do that.”
Was this article valuable?
Here are more articles you may enjoy.