How to Find Cyber Insurance for the Uninsurable

By | April 4, 2011

The University of California (UC) has redefined the rules of cyber liability insurance, using an approach that the University’s Chief Risk Officer Grace Crickette calls “reverse underwriting.” Collaborating with the university’s chief information officers, insurance brokers Price Forbes & Alliant, and a London underwriter, UC developed a cyber liability insurance program that reduces risk and drives risk management best practices, Crickette said.

Several years ago, the University of California Office of Risk Services was increasingly becoming aware of cyber risks, encompassing the exposures presented by network security, privacy and social networking. While the UC self-insures and takes high retentions on all of its risks from general liability to professional liability, it lacked cyber insurance. Specifically, UC was seeking a product that catered to its network security, privacy, media and technology liabilities, which concurrently provided a data breach notification and forensics service framework. And not having insurance to protect against emerging risks left the University vulnerable, Crickette said.

Additionally, the UC had experienced cyber losses, from hazard losses as well as cyber breach incidents. “Due to the nature and complexity of operations and the academic culture of open access, educational institutions, and in particular, large research-oriented universities, face unique exposures related to the internet and information security and privacy,” according to a 2008 white paper on “Cyber Liability and Higher Education” by Aon Corp.

In 2008, educational institutions accounted for 33 percent of all reported data breaches. And from Jan. 1, 2007 until Nov. 19, 2008, approximately 158 educational institutions experienced data breaches involving 3.7 million records. “Combine those statistics with a study conducted by the Ponemon Institute that found the average cost of a data breach was $197 per record, and the potential costs are astounding,” Aon indicated.

Such statistics put reducing cyber risks on the University’s Regents’ radar, Crickette said. The problem she found, however, was that no insurer wanted to write cyber liability coverage for the University. When she sat down to fill out insurance applications, she couldn’t complete them — or the answers made the University seem like a high risk.

For instance, some applications asked her:

  • Within the past three years, have you had a failure or breach of computer security systems that caused a loss in excess of $25,000?
  • Have you had any losses due to malicious code or viruses because of unauthorized access to your computer system?
  • Do you collect credit card data?

The answer to all those questions were yes, Crickette said, which made insurers perceive the University to be uninsurable. A large problem was the scope of the university and its decentralized information technology (IT) systems.

The University of California is comprised of 10 campuses plus five medical centers, and other areas of operation such as bookstores and dining facilities. It employs approximately 170,000 people and has 250,000 students. The University is heavily involved with research, as well as manages patient care and public services, such as operating 56 Agriculture and Natural Resource stations for the state of California.

“While core systems like payroll and accounting systems are centralized, not all IT systems are,” Crickette said, “because of how funding comes to a university.”

Often, a university receives much of its funding through research grants, from governmental agencies or private industry, she explained. Typically that money goes to a specific professor, also known as the “primary investigator” (PI), and monies do not go to the University’s general fund.

“When a corporation has revenue that comes in, it goes into a general accounting fund, and senior leadership along with the board will make strategic decisions about how that money will be allocated. We don’t have that luxury at the University,” Crickette said. Instead, a significant amount of funding is “tagged” for a special purpose.

To complete and support the research, a PI may need a particular computer system or standalone server. The tendency is for each PI to have their own systems, and many also hire their own IT staff. Because CIOs cannot track those computer systems and servers, nor provide standardized security measures for the data, that made it difficult to have the underwriting done, Crickette said.

“To give you some perspective, there are more than 400 departments at U.C. Berkeley, so multiply that by 10 campuses plus the medical centers. And if you can imagine there’s a high percentage of those departments with their own IT systems, [you can see how it becomes] very, very difficult to get an inventory of the systems. And if you do get the inventory of the systems, the due diligence that has to be done related to cyber risk in regard to security, even just protection of the equipment from hazard risk, becomes very, very difficult,” Crickette said.

So that’s how Crickette’s journey began, of trying to develop a new cyber product to make the “uninsurable” University, insurable. She began by pitching the idea of what she called “reverse underwriting” first domestically, then in London. The central idea was that she wanted an insurance program to cover losses only if best practices had been followed.

“If we could identify the controls, privacy, network security and social engineering best practices that we wanted people (the PIs) to follow, and get an insurance company to collaborate with us to agree on those controls and underwrite to those controls, we would have coverage to pay claims,” she said. “However we also wanted to demonstrate to carriers that we already had implemented many of the controls that a strong security posture would have required.”

Using an auto insurance analogy, Crickette said typically when a driver seeks insurance the premium is based on the driver’s current state — what kind of car the person is driving and his or her driving record. With reverse underwriting, an insurer would say, “‘if you have an auto accident and we see that you have improved your vehicle, improved your driving record to mitigate risk as best as possible, we’re going to underwrite to that,'” Crickette explained.

Crickette spent two years pitching her idea to insurers. Given the loss experience of other universities, it was difficult for carriers to embrace the flexible approach that reverse underwriting entailed. Yet eventually her persistence paid off. With the help of her London insurance broker Price Forbes & Alliant, she found Lloyd’s syndicate to reverse underwrite the coverage. The underwriter, Rick Welsh, now with ANV London, understood that Crickette wanted insurance to enhance risk management throughout UC, rather than for all of the risk to be transferred to the carrier. As a result, Aspen provides coverage only as long the claims forensics can prove that the University met the pre-agreed-upon risk management standards.

The policy has 17 standards, which were developed by the University CIOs, such as:

  • Maintain antivirus and malware prevention solutions, including for student/dormitory settings on any computer that is part of your computer system and update the protection at regular intervals but no less than at least once every 30 days;
  • Take reasonable security precautions when processing, storing or transmitting credit card payment data or personally identifiable information;
  • Ensure laptops are encrypted, and any employee laptop with sensitive nonpublic data has whole disc encryption in place; and
  • Maintain an incident reporting and response program that enables prompt escalation and management response for events reported by students, faculty and staff.

Crickette said the standards are “carrots” for people throughout the University to encourage them to become more aware of cyber risks and motivate them to put better security controls in place.

“The CIOs, as a whole, are very excited about the program because it gives them a tool to go out and have conversations with the professors, the primary investigators, and talk about what controls they need to have in place on their systems, or persuade them that perhaps their systems would be better suited in the hands of the CIOs, ” Crickette said.

Previously, if a department had a cyber breach, it more than likely would have been an unbudgeted and non-covered incident, she said. Without insurance coverage, the PIs were forced to incur the cost of responding to the breach from their own department budget, or forced to go to their chancellor to see if general funds were available to help respond to the breach.

As an unexpected benefit, the University is reducing its energy costs, because more IT systems are being moved to centralized locations, Crickette added. Moreover, through the collaborative relationship with the carrier, UC has achieved its goal of having a unified yet comprehensive risk management framework underpinned with a secure risk transfer insurance program.

Now that the program has been in place for a year, and the University of California is looking to renew its program, it’s also hoping to get other carriers, or syndicates, interested in a similar cyber liability program. In addition to helping other higher educational organizations or other entities that are having difficulty finding cyber liability coverage, Crickette said she also hopes more competition will allow her to purchase larger limits of coverage.

“I think a lot of people — both in higher education and outside of it — are interested in this policy because it does have very broad coverage and it’s also nicely bundled together,” Crickette said. “… In conversations I have with risk managers about cyber coverage [they ask,] ‘Is it worth buying? Is the coverage broad enough? Is it going to offer my company the breadth and depth of post-loss coverage and service that I really need?’ …

“[UC’s policy] is really quite broad. It provides breach notice response services coverage, online media liability coverage, privacy and confidentiality breach liability coverage, security breach liability coverage, whether it’s legal costs, forensics, third-party computer forensic professionals, etc. So that’s really quite broad,” Crickette said.

Ultimately the insurance program is doing what Crickette aimed to accomplish: cover claims when needed and reduce risk. “The [cyber] insurance is just part of focusing everyone’s attention on this area, and the way that it’s devised is to change behavior and improve the risk — not just pay for problems that arise,” she said.

To listen to the full interview with the University of California’s Chief Risk Office Grace Crickette, visit https://www.insurancejournal.tv/videos/5186/.

Topics California Cyber Carriers Underwriting Education Universities London Risk Management

Was this article valuable?

Here are more articles you may enjoy.