Jun 25 2020

How States Should Think About Cyberinsurance

Proposed legislation in California should have state IT leaders and policymakers considering the complicated factors involved in cyberinsurance.

State governments continue to be hit with large-scale cyberattacks, such as the distributed denial-of-service attack in late May that targeted Minnesota’s information systems and networks and the ransomware attack that hit Louisiana last November. 

Recently, a state lawmaker in California proposed legislation that sought to put in place new protections for critical state data by mandating the adoption of cyberinsurance by contractors that have access to it. 

The bill, AB 2320, was introduced in February by assembly member Edwin Chau. It would require cyberinsurance coverage if a contractor received or was given access to records that contain personal information protected under the state’s Information Practices Act, according to bill text. That act, passed in 1977, regulates how California agencies collect, manage and send out personally identifiable information on residents — including names, Social Security numbers, home addresses and medical and employment history.

The bill says contracts with contractors who receive or have access to that data “shall require the contractor to carry cyber insurance sufficient to cover all losses resulting from potential unlawful access to or disclosure of personal information, in an amount determined by the contracting agency.”

Although the bill was voted down in committee in May, it raised important questions that state governments should consider when it comes to cyberinsurance. 

How much and what kind of cyberinsurance should a state mandate? What data needs to be protected? What kind losses should be covered? 

What Is Cyberinsurance and How Does It Affect State Governments?

As Dark Reading notes, cyberinsurance is “designed to cover the costs of security incidents and breaches such as system forensics, data recovery, and legal and customer reparations costs.” 

Most standard cyberinsurance policies “exclude preventable security failures that result from failing to maintain a minimum level of security — an improperly configured firewall, for example,” according to The Wall Street Journal. “The careless mishandling of sensitive information by employees generally isn’t covered. Malicious acts by employees also generally aren’t covered, or theft of trade secrets or intellectual property.”

Why is cyberinsurance so critical? One reason is breaches of citizen data incur both economic and reputational costs for governments.

According to the 2019 “Cost of a Data Breach Report,” sponsored by IBM Security and independently conducted by the Ponemon Institute, the average cost of a data breach in the U.S. was $3.92 million in 2019. The average cost of a compromised record in 2019 was $150, up 1.4 percent from 2018’s cost of $148.

Those losses hit both the people whose data has been compromised as well as third parties. As computer security and privacy expert Mark Rasch notes at Security Boulevard, if California or any other state “contracts with some entity, whether it is a cloud storage provider, a data analytics entity or even an accountant or lawyer, and provides them through the contract with access to or possession of personal information it has collected, and that third party suffers a breach, there could be economic losses to the data subjects, which could be passed on to the state, and therefore to the contractor.”

MORE FROM STATETECH: Find out how states can best quantify cybersecurity risks. 

How Cyberinsurance Could Work for a State Government

There are different kinds of cyberinsurance, and states would need to consider which kind to adopt. First-party insurance “covers the policyholder’s own direct losses from cyberattacks such as data theft, denial of service and extortion,” the Journal reports, while third-party insurance “covers companies that allowed a data breach to occur on a client network.”

A state would want to ensure its cyberinsurance mandate covers third-party losses, since that would cover the state and citizens. 

“If I give (or am forced to give) my data to the Golden State and assert that they have a duty to protect it, and they then give it to some contractor, the insurance has to cover losses to the state and to the data subject,” Rasch argues.

Insurance should also seek to cover both direct and indirect losses. If a data breach leads to a loss of trust in a state government and forces a state to implement a more expensive system, that might be an indirect loss that would be covered, although it gets legally murky. 

Any large-scale data breach is either going to impact the contractor, the state government or the citizens whose data is exposed, Rasch notes. Cyberinsurance also needs to cover not just the costs of the direct breach of records but investigations and legal costs after the fact. 

It’s important to note that even if a state were to implement a cyberinsurance mandate similar to what was proposed in California, such policies are not an excuse to cut back on cybersecurity and data protection at the state level for resident data. 

States need to be proactive about their cybersecurity defenses in a way that complements cyberinsurance protections. Cyberinsurance has its merits, but it is not a cure-all for data breach concerns.

This article is part of StateTech's CITizen blog series. Please join the discussion on Twitter by using the #StateLocalIT hashtag.

CITizen_blog_cropped_0.jpg

erhui1979/Getty Images