What Is Cyberinsurance and How Does It Affect State Governments?
As Dark Reading notes, cyberinsurance is “designed to cover the costs of security incidents and breaches such as system forensics, data recovery, and legal and customer reparations costs.”
Most standard cyberinsurance policies “exclude preventable security failures that result from failing to maintain a minimum level of security — an improperly configured firewall, for example,” according to The Wall Street Journal. “The careless mishandling of sensitive information by employees generally isn’t covered. Malicious acts by employees also generally aren’t covered, or theft of trade secrets or intellectual property.”
Why is cyberinsurance so critical? One reason is breaches of citizen data incur both economic and reputational costs for governments.
According to the 2019 “Cost of a Data Breach Report,” sponsored by IBM Security and independently conducted by the Ponemon Institute, the average cost of a data breach in the U.S. was $3.92 million in 2019. The average cost of a compromised record in 2019 was $150, up 1.4 percent from 2018’s cost of $148.
Those losses hit both the people whose data has been compromised as well as third parties. As computer security and privacy expert Mark Rasch notes at Security Boulevard, if California or any other state “contracts with some entity, whether it is a cloud storage provider, a data analytics entity or even an accountant or lawyer, and provides them through the contract with access to or possession of personal information it has collected, and that third party suffers a breach, there could be economic losses to the data subjects, which could be passed on to the state, and therefore to the contractor.”
How Cyberinsurance Could Work for a State Government
There are different kinds of cyberinsurance, and states would need to consider which kind to adopt. First-party insurance “covers the policyholder’s own direct losses from cyberattacks such as data theft, denial of service and extortion,” the Journal reports, while third-party insurance “covers companies that allowed a data breach to occur on a client network.”
A state would want to ensure its cyberinsurance mandate covers third-party losses, since that would cover the state and citizens.
“If I give (or am forced to give) my data to the Golden State and assert that they have a duty to protect it, and they then give it to some contractor, the insurance has to cover losses to the state and to the data subject,” Rasch argues.
Insurance should also seek to cover both direct and indirect losses. If a data breach leads to a loss of trust in a state government and forces a state to implement a more expensive system, that might be an indirect loss that would be covered, although it gets legally murky.
Any large-scale data breach is either going to impact the contractor, the state government or the citizens whose data is exposed, Rasch notes. Cyberinsurance also needs to cover not just the costs of the direct breach of records but investigations and legal costs after the fact.
It’s important to note that even if a state were to implement a cyberinsurance mandate similar to what was proposed in California, such policies are not an excuse to cut back on cybersecurity and data protection at the state level for resident data.
States need to be proactive about their cybersecurity defenses in a way that complements cyberinsurance protections. Cyberinsurance has its merits, but it is not a cure-all for data breach concerns.