Agencies must have a defensible cybersecurity program in place to
               The state of Georgia marked its first anniversary as a cybersecurity insurance holder in July, and officials said they have no plans to be without it again.
In the event of a security breach, the insurance provider connects agency clients to vendors that can immediately begin remediation — including services related to digital forensics, legal issues, public relations and notification.
“Because we already have the relationship with the insurance provider, effectively, they look like subcontractors to us,” Georgia CTO Steve Nichols said. “It’s already been competed. We can just reach out and get things quickly.”
With those worries largely taken care of, the information security teams at state agencies can focus on important tasks — mainly, keeping cybersecurity up-to-date.
Stanton Gatewood, Georgia’s chief information security officer, said having a list of vendors agencies can call for incident response and forensics gives him a “warm and fuzzy feeling.” And because officials would rather
avoid the kinds of incidents that would require them to use the insurance, it has the added benefit of reminding the state’s security professionals to keep “sharpening their spears as far as their programs and their postures.”
Keeping up with a changing security landscape
Many public- and private-sector organizations are buying cybersecurity insurance to help manage the costs related to breaches, and state governments in particular are increasingly making use of it. About 38 percent of states have such insurance, according to a survey released by the National Association of State CIOs’ in October 2017.
West Virginia has had a policy since 2014, and Utah has had one since 2015. In May, South Carolina became the latest state to issue a request for proposals for cybersecurity insurance.
Utah CISO Phil Bates said a security breach in 2012 was the impetus for the state to buy insurance. “We wanted it to cover the costs surrounding a breach — that was the big thing,” he added.
Those costs can be staggering. A
2017 study by the Ponemon Institute concluded that the cost of data breaches is $141 per record, but other estimates go much higher.
Utah has an insurance policy through Brit with a $1 million deductible and a $10 million cap. “I don’t see that the landscape is getting any better, so I think this is something we’ll be dealing with for awhile,” Bates said.
For his colleagues in other states, he recommended partnering with an insurance broker to find the right policy, which is what the Georgia Technology Authority did in collaboration with the state’s Department of Administrative Services. Officials worked with brokerage firm Willis Towers Watson before signing a $100 million policy with a retention, or deductible, of $250,000. It went into effect on July 1, 2017.
The Department of Administrative Services’ Risk Management Services division provides the primary coverage, while XL Catlin and several other companies provide additional coverage. The cost of the premium is spread across agencies.
40 GCN AUGUST/SEPTEMBER 2018 • GCN.COM
“The security landscape is changing