Georgia Technology Authority’s $100 million policy
For a $1.8 million premium, Georgia has coverage for:
• Breach of network security and/or data that was supposed to be kept private.
• Defense expenses and any fines or penalties assessed by regulatory bodies.
• Lost revenue due to a network outage that exceeds 10 hours, as well as expenses to resume operations.
• Expenses associated with recovering, rebuilding or restoring data.
• Extortion incidents, including payment of ransom.
• Expenses associated with responding to an incident, including a crisis management company to help deal with the press and communications to affected individuals.
qualify for and retain insurance.
                       pretty quickly, so you can really feel isolated and not sure what to do if you’re out there on your own,” Nichols said. “Being able to talk to the broker, talk to the lawyers, talk to a security forensics expert who can be as current as [saying,] ‘Oh, we just saw this last week; this particular problem or vulnerability is going around’ — that gives me a lot of comfort.”
Georgia’s policy covers all executive branch agencies with the exception of the Georgia Department of Defense (which serves as the state’s National Guard and is run like a federal agency), the state Department of Education and all higher-education institutions.
Because insurers rank personally identifiable information (PII) high on the risk list, the broker said including education data on minors would distort the pricing, according to Nichols.
“Most of that [PII] data is held by agencies where we are managing all of their infrastructure through our outsourced contracts, so people were able to find some comfort in that,” he added. “Even though we are not 100 percent consolidated, the parts where they felt the risk is are consolidated.”
A feeding frenzy
Paul Proctor, a vice president and distinguished analyst at Gartner, said the demand for cybersecurity insurance is high.
“Right now, it’s like a feeding frenzy: Just go get cyber insurance. From whom? From where? It doesn’t matter. Just go get cyber insurance,” he said. “On the buyer side, everybody is very concerned about this cybersecurity issue, and on the seller’s side of it, wow, are they making a lot of money. They can’t write policies fast enough, and people are just buying it hand over fist.”
However, he cautioned agencies to must make sure they aren’t using the insurance as an excuse to be lax about security measures. Among other reasons, agencies must have a defensible cybersecurity program in place to qualify for and retain insurance. For example, companies won’t pay on a claim if an agency said it issues patches every 30 days and then a breach happens because the affected system hadn’t been patched in that time frame.
“This is like you signing up for health insurance and ticking the box that says, ‘I’m a nonsmoker,’ and then you get lung cancer connected to the fact that you are a smoker,” Proctor said. “The insurance policy is not going to pay for that.”
Cybersecurity insurers are still negotiating a steep learning curve. Unlike car or health insurance, “cyber insurance doesn’t have actuarial tables,” he said. By analyzing data on cars or someone’s age and health history, insurers can estimate the likelihood of given problems, but “you can’t really do that with cyber insurance.”
The market will balance out eventually, he added, and the signs are already emerging as premiums rise and payouts decrease.
“That’s going to lead to a balancing of people being able to choose appropriately when cyber insurance works for them and when it doesn’t,” Proctor said. “We are still a few years away from it being mature enough for everybody to be able to buy it with confidence and to get an appropriate deal for their situation.” •
GCN AUGUST/SEPTEMBER 2018 • GCN.COM 41