One of the office staff at the College of the Holy Cross fell victim to a phishing scam back in 2011. A scammer had sent an email warning that the staffer’s email account was running out of space and requesting the username and password for the account to fix the issue. Sharing that information put the records of 500 employees at risk.
Luckily, just weeks before the breach, David Shettler, deputy CIO and information security officer at the Massachusetts college had purchased a cyber insurance policy. “At the time, data breaches were on the increase and prevalent in the news, and we knew that higher education institutions were not immune,” says Shettler. “The breach we experienced was significant enough for us to make a claim.”
The insurance provider helped remedy the situation, connecting administrators with legal counsel, notifying staff whose information was compromised, providing credit monitoring, and even staffing a call center to handle calls from concerned employees. The estimated cost of the incident—over $100 per record—was not fully covered. But having the policy made a big difference.
A growing number of colleges are purchasing cyber insurance. In fact, the global market is expected to reach $14 billion by 2022, according to a 2016 Allied Market Research study. The number of educational institutions (K-12 and higher ed) with cyber insurance increased from 30% in 2014 to almost 70% in 2018, according to a 2019 Marsh report.
Cyber policies—covering network security and privacy liability, data incident management, penalties and fines from regulatory proceedings, network or system interruption, and breach response expenses—have become essential. “Any organization that handles or collects data and relies on technology to enable their work needs to be looking at coverage,” says Robert Parisi, U.S. cyber product leader for Marsh Insurance.
Thanks to an uptick in interest, cyber insurance policy options are easier to find. But that doesn’t mean deciding on coverage is as simple as picking a policy and paying the premium.
Experts and administrators advise following four best practices for purchasing cyber insurance.
1. Assess your risk
All colleges are at risk, thanks to the amount of data stored on their servers, but certain schools might be more vulnerable than others to cyberattacks. Parisi believes large institutions with higher numbers of students and staff as well as those that process large numbers of retail and dining transactions need more coverage.
8 questions to ask cyber insurance brokers
1. What does the insurance cover?
2. How much coverage does our college need?
3. What are the average premiums for that level of coverage?
4. What common exclusions can we expect?
5. What providers are rated best?
6. What kinds of support can we expect if we make a claim?
7. What is the process for securing a policy?
8. Who needs to be involved in the decision-making process?
Clint Wevodau, director of risk management and insurance at Bucknell University in Pennsylvania, relies on a strong partnership with his insurance broker who understands the risks (and can market those risks to potential insurers). “It’s helpful to have the administration, broker and underwriter all on the same page in terms of the transparency of the risks and cyberthreats the organization may face,” he says.
Bucknell has a $3 million cyber insurance policy with a $35,000 annual premium, which was first purchased in 2011. Five years later—when data stored in a public folder behind a firewall was compromised by someone with university login credentials—officials had to make a claim, which the policy covered.
2. Shop around
Like with all insurance, coverage options and premiums for cyber insurance vary widely.
Although Shettler cannot disclose annual premiums for the cyber policy covering Holy Cross, he does note that price comparisons revealed a $30,000 difference between the lowest- and highest-priced policies. Most policies cover network security and privacy liability, incident management, network interruption, and breach response expenses. Insurers may offer extras, such as coverage for ransomware and other cyber extortion. “Some insurers are just there to cut a check when there is a problem, and others offer hand-holding to get through a crisis,” says Marsh’s Parisi.
He advises considering policies with value-added services. Insurance companies may have a panel of vendors such as law firms, forensic accountants and 24-hour hotlines, for example.
3. Reevaluate coverage options
Cyber insurance is not a one-and-done purchase. Offerings are always evolving and policies should be reevaluated. John Meriano purchased the first cyber insurance policy for Quinnipiac University in Connecticut back in 2012.
Since then, Meriano, the associate vice president for auxiliary services, has increased coverage from $5 million to $10 million. He continues reevaluating the coverage every three years and making changes as needed. “We bought our first cyber insurance policy because it seemed like risks were getting a little higher, and we increased the coverage because the pricing was getting more attractive; we could double our coverage for just a few dollars more,” he says.
At Bucknell, Wevodau reevaluates the cyber insurance policy every other year and, in conjunction with the broker and CIO, makes decisions about coverage.
4. Continue to pursue other protections
While cyber insurance is important today, Meriano stresses that policies are not a substitute for other risk management strategies. “You need to look at your infrastructure and see if there are opportunities to make things more secure,” he says.
To minimize the risk of cybercrimes at Bucknell, Wevodau houses secure data across multiple locations, for example. Even if one location falls victim to an attack, not all the data is compromised.
Mark A. Dobrow, vice president of Segal Select Insurance Services Inc., echoes this sentiment of having a lot more than a policy. He cites the need to create secure IT environments through risk assessments, incident response planning, software updates, staff training, and vendor screening and testing. “While insurance may address various immediate remediation and liability costs of a breach,” he says, “it will not reduce the chances of breaches occurring or protect against the long-term reputational damage that often follows.”
Jodi Helmer is a North Carolina-based writer and frequent contributor to UB.