Cyber Risk Insurance
|
Interest in cyber risk insurance is growing, but is it for you? |
|
|
|
By Linda Tucci, Senior News Writer |
|
|
|
|
The ink was barely dry on Brown University’s 2009 contract to move student email accounts to the Google cloud before CISO David Sherry was getting calls from cyber risk insurance brokers asking if the university was considering outsourcing some of its liability. Thanks, but no thanks, was the answer.
|
|
||||
|
|
|||
|
|
||||
Brown students are on a separate network from faculty and staff, Sherry explained. And, he wryly noted, the security provided by the Google Apps for Education service is as good, if not better, than what he could provide to the rotating crop of “new computer hackers” enrolled at the school’s Providence, R.I., campus.
“With the students, we felt the liability was rather small,” Sherry told a gathering of IT executives at a recent event at the Franklin W. Olin College of Engineering in Needham, Mass.
As the university contemplates whether to move faculty and staff accounts to the cloud, however, the conversation has changed. Federally funded research data is subject to a host of regulatory requirements. There are data retention requirements related to e-discovery and global privacy rules to consider. Getting customized security guarantees from a cloud provider is tough, if not impossible, even for a marquee customer. Now it’s Sherry who’s asking questions about cyberinsurance. “We are taking a long look at it,” he said. “It’s not cheap.”
Sherry is not alone. As data breaches proliferate and the potential costs associated with them are quantified — as high as $202 per customer record, according to Ponemon Institute LLC’s latest data breach study — interest in cyber risk insurance is growing among IT executives.
“In the last few months, we have been getting a lot more inquiries than in the past,” said Khalid Kark, a security and risk analyst at Forrester Research Inc. in Cambridge, Mass. Part of the reason for the uptick, he said, is that data breaches are becoming “a lot more impactful” to organizations, and senior executives are asking IT how the company can mitigate the risk. In addition, the insurance industry is aggressively pushing these policies.
“In a lot of cases, the actual insurance broker for the organization comes to them and says, ‘Hey, we know there is this new cyberinsurance we can just add to your regular coverage and even give you a slight discount,’” Kark said.
Whether cyber risk insurance makes sense for your organization, however, is an open question, in Kark’s view, particularly if your organization has a mature information security program. “My gut feel is that if you’ve got a certain level of maturity and you’re pretty confident about your security controls, it is better to evaluate this insurance in a lot more depth,” he said.
![[Post to Twitter]](http://www.julieryan.biz/wp-content/plugins/tweet-this/icons/tt-twitter.png){kind=icon}