Leaders in Northport, N.Y., face a serious decision. In the wake of a 2014 ransomware attack against the Northport Police Department, the village is considering purchasing a cyberinsurance policy. At a May meeting, the Board of Trustees viewed a presentation covering the benefits of cybersecurity insurance to defray the costs of future breaches.
While Northport may be considering cybersecurity insurance for the first time, these policies aren’t new. Over the past decade, insurance companies developed a variety of products to cover this emerging threat. While cyberinsurance can’t prevent a breach or restore constituent confidence in an agency suffering a breach, the policies do allow agencies to transfer some of the financial burden of incident response to an insurance provider.
It’s hard to pick up a newspaper or turn on a cable news channel without seeing reports of the latest cybersecurity breach. States and localities aren’t immune from this trend.
During the first half of 2015, agencies ranging from the California State Department of Business Oversight to the Lincoln County (Maine) Sheriff’s Department reported cybersecurity breaches impacting their systems.
Organizations suffering data breaches find that incident response costs quickly pile up and may reach staggering proportions.
IBM’s 2015 Cost of Data Breach Study found the average data breach at U.S. public sector organizations resulted in a loss of $73 per breach. Agencies that hold thousands or millions of records containing personally identifiable information (PII) could easily see a multimillion-dollar price tag associated with a cybersecurity incident.
Cybersecurity policies seek to cover the financial losses associated with a cybersecurity incident. While the language and coverage of each policy varies by issuer and client, policies often cover the costs associated with notifying breached individuals, providing credit monitoring services to those affected, conducting forensic analysis of hacked systems and defending breached organizations against incident-related lawsuits. Policies can’t, of course, prevent the reputational damage that occurs among citizens, vendors and other constituents in the wake of a security incident.
Study the Numbers
Organizations around the country often struggle with the choice to purchase cyberinsurance. In some cases, fear and emotion enter the decision-making process. In reality, the decision should be one of risk management based on financial analysis.
Officials can perform some quick math to decide if cyberinsurance makes sense in their unique circumstances. First, consider the potential magnitude of a data breach. How many records containing personally identifiable information does the agency maintain? Multiply that by the $73-per-record figure identified in the IBM study to produce an estimated cost of a security breach. Divide that total by the annual cost of the premium to find the break-even period, in years, for the policy.
For an example, let’s return to the case of Northport, N.Y, a village of 7,401. Assuming that the town maintains records containing PII on each village resident, the expected cost of a data breach would be $73 multiplied by 7,401, or $540,273. If an insurance broker offered the village a cybersecurity policy with a $50,000 annual premium, the break-even point of that policy would be between 10 and 11 years. If the village expects that a breach might occur more often than once a decade, the policy would be a solid investment. The policy also might be a wise choice if the village lacked the cash reserves to handle the cost of a breach using its rainy day fund.
Organizations around the country are increasingly choosing to purchase cybersecurity insurance policies to cover potential losses. A 2013 Ponemon Institute study found that 31 percent of organizations currently carry cybersecurity insurance, while 57 percent of those lacking coverage plan to purchase a policy in the next 24 months. Public sector agencies lag behind this national trend — only 19 percent of agencies currently carry cyberinsurance policies. One reason may be the lower costs associated with security breaches at government agencies. The $73 per record in data breach costs experienced by public sector organizations pales to the national average of $217.
IT leaders who haven’t conducted a risk assessment and considered a cyberinsurance policy should consult an insurance broker to run the numbers for themselves. Cybersecurity insurance can be costly, but it may cover significant financial damages after a breach.