Creative solutions for cyber insurance
What do the cities Birmingham, Alabama, Columbus, Ohio, Hoboken, New Jersey, McKinney, Texas, North Miami, Florida, Georgia’s Coweta County School System, the Los Angeles Unified School District and Western New Mexico University have in common? All have been the targets of significant cyber attacks over the last 18 months. They’re not alone. As Microsoft noted earlier this year, “Governments worldwide are now the third most targeted by nation-state actors, making cybersecurity a top priority.” A recent report by cybersecurity firm Check Point, moreover, noted that the average school, college or university gets more than 3,000 cyber threats per week — the culmination of a steep increase over the last several years.
3K cyber threats per week affecting schools, colleges or universities
Bottom line, public entities and education organizations need as much help as they can get. A creative fusion of cyber risk assessment excellence and cyber insurance that incentivizes wise cybersecurity investments represents a key way forward.
Public entities, including education organizations, are treasure troves of sensitive data. They often store personal information (e.g., linked to voter registration), tax records and other sensitive information (e.g., handicap stickers in cars with linked health information). Much of this personally identifiable information (PII) is housed in often antiquated and less defended systems. Public entities likewise provide crucial services to large and diverse constituencies. Threat actors know that these public entities must continue to operate and serve the public and maintain public confidence. They consequently believe that public entities are more likely to pay ransoms to avoid costly/lengthy disruptions (e.g., uncollected taxes, unscheduled court cases, unpaid salaries), dangerous interruptions (e.g., undispatched police and fire protection services) and reputational damage.
Unsurprisingly, public entities are the second top-targeted industry for ransomware. Victims include cities, county governments, school districts, police agencies and health care systems. Nearly one-third of cyber claims among public sector entities involve ransomware. Given the lack of robust defenses and the general stakes for these entities, ransom demands tend to be exorbitant. Even if they pay ransom demands, public entities have no guarantee that their data will be released uncorrupted. In the wake of an event, they instead must spend time ensuring attackers didn’t hide backdoors that would let them re-launch an attack. They likewise need to check that they’ve purged all traces of viruses from their systems before bringing services back online.
Hacktivist attacks are also a pronounced issue for public entities. Hacktivists may try to take online systems down for extended periods, expose private data, or cause other inconveniences to the entity to express their displeasure with government leaders and the actions they take (e.g., passage of a law they don’t like).
Public entities typically have smaller cybersecurity staffs and smaller cybersecurity budgets, along with aging cyber infrastructure. This makes their networks easier to attack. Response and recovery times are slow for under-staffed and underfunded public entities, whether a cyber attack involves ransomware or some other exploit. Recovery usually takes place in stages, with an impacted agency first restoring its most critical assets — a task it might manage within a month — while taking longer to fully return to normal.
For their part, public colleges and universities face not only these but also a set of other discrete cyber risks – data breaches involving the theft of PII and research data, to be sure, but also ransomware and other attacks that bring down online platforms or block access to research data that can be equally damaging. The nature of higher education demands a collaborative, teaching, learning and research environment routinely based on open, shared technology. This demand is often at odds with tight security controls. Many institutions of higher education are pursuing coverage for their cyber liability insurance to focus on catastrophic event that might occur. Even so, their limits tend to be fairly low.
Many cyber insurers have seen losses increase significantly with public sector clients, including education organizations. As a result, carrier appetite has tightened considerably, and underwriting requirements have become increasingly stringent and lengthy. Premiums for states and localities have ballooned in recent years, even if they have all the required controls in place. Sub-limits and coinsurance provisions have become commonplace, especially regarding ransomware losses. The trendline, unfortunately is not positive. Cyber insurance instead has become increasingly impractical and/or unaffordable for clients with smaller budgets as high premiums stay high (or climb). Insurer demands for improved controls that necessitate increased staffing as well as expensive updates to older systems and software only compound the problem.
Without the ability to adequately transfer risk, public entities could face greater financial and reputational risks from cyberattacks, which could have negative credit implications. Many states and localities believe the cost of not having cybersecurity insurance is incalculable, making their jurisdictions vulnerable to extreme losses in capital, human health and safety, not to mention reputation. In short, they’re caught between a rock and a hard place.
The question before the cyber insurance market is whether brokers and carriers can create a market where more carriers want to cover public entities, including education organizations, and actively compete to do so. For present purposes, any distinctions that may exist between middle market and large and complex organizations are largely irrelevant. Clients and prospects across the sector face some combination of shared problems that boil down to a common theme: a lack of budget and cybersecurity expertise that undermines carrier confidence that they have strong enough controls to prevent and/or respond to and recover quickly from a cyber event.
Given the distressed (and distressing) environment, public entity clients typically have three goals when purchasing and renewing coverage:
Using these common themes as a guide, brokers especially must service this sector differently to build a new market.
It’s time for the insurance industry to get creative. One approach would be to broker a relationship (pun fully intended) between a provider specializing in cybersecurity assessments and cyber insurance carriers. The idea would be to enroll public entities, including education organizations, into a program that provides them with much better cybersecurity capabilities and controls than they otherwise would be able to afford and manage on their own. Brokers could work with the provider to develop this program and at the same time approach key carriers to see if (1) they are open to providing quality coverage to public sector/education clients given the enhanced cybersecurity that their participation in the provider’s assessments brings and (2) whether they will provide coverage on better terms given the risk differentiation that the program provides.
Assessments are key. If carriers have a say in how they’re conducted, have access to results and obtain commitments from insureds to target gap areas for improvement, a multi-prong collaboration can form:
The need is clear. The time for this win-win-win-win is now. Our public entity and education clients await.
WTW hopes you found the general information provided here informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, WTW offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
