Main Nav

Greetings,

 

How many of your institutions carry Cyber Liability Insurance?  If not, why not?

 

Many thanks for your help.

 

Regards,

 

Stacy

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Stacy,

I am glad you posted this question because we are trying to determine if the risk probability warrants the cost.

Neil Fay

CTO, Hood College

 

Yes, we do.  Covering our bases in the event of an incident.  Cost was not prohibitive
*********************************************
Delores K. Barton
Vice President & Chief Information Officer
Spelman College
350 Spelman Lane, SW, Box 141
Atlanta, Georgia 30314-4399
(404) 270-5376 / FAX (404) 270-5399



Stacy,

We carry the coverage, if we were to have an incident and have to offer credit monitoring it can get costly very quickly!

Bill

 

Bill Scorse

Vice-President of Administration and Chief Information Officer

Drury University

900 N. Benton

Burnham Hall #107

Springfield, MO 65802

417.873.7214 Office

417.844.4851 Cell

Bscorse@Drury.edu

Visit us at www.Drury.edu

 

P Please consider our environmental responsibility before printing this e-mail

 

 

 

 

I suspect that many (or most or all?) public institutions self-insure just about everything, and hence don’t have insurance policies with insurance carriers in the traditional sense. Cyber Liability insurance would be no different.

 

Jerry

----------------------------------------------------------------------------------------
Jerry Bryan • Vice President of Information Services • Pellissippi State • 10915 Hardin Valley Road • P.O. Box 22990 • Knoxville, TN 37933-0990

Voice: 865 539-7127 •  Fax: 865 539-7653 •  E-mail: jbryan@pstcc.edu

 

 

Clark University carries Cyber Liability insurance.

 

Pennie

 

 

 

Pennie S. Turgeon | Vice President for Information Technology and CIO
Clark University | 950 Main Street | Worcester, MA | 01610-1477
Office: 508-421-3813 | fax: 508-793-8823 | e-mail: pturgeon@clarku.edu

 

P Please don't print this e-mail unless you really need to

 

 

 

 

Creighton University also carried cyber liability insurance

 

Brian

 

As does Olin College.
 
Joanne
 

Albright College has this insurance as well.

 

Dana

 

Dana German

Chief Technology Officer

Information Technology Services

Albright College

610.921.7225

 

 

For all those of you who carry this insurance, what is the extent of the coverage?

 

Dr. Robert Paterson

Vice President, Information Technology, Planning & Research

Molloy College

Rockville Centre, NY 11571

516-678-5000 ex 6443

 

And a quick addition: S was there a “cost per record lost” that was used to help decide on the coverage level?

 

 

Thanks,

Stacy

 

My standard response: 
Oakland University has purchased Cyber Liability including data coverage for a number of years.  We began our Cyber Liability purchase on July 1, 2005, with AIG.  At that time, the policy was very narrow.  However, as the market for cyber insurance grew, so did our coverage.  Until June 30, 2010, we remained with Chartis (AIG).  Our limits were $5,000,000 in both occurrence and aggregate, with a $50,000 deductible. 
 
Last year we decided to go with a new program being offered by Beazely Insurance.  It is called the Beazely Breach Response program.  Our limits and deductible remained the same.  There were two major changes in the policy.  The first is that the limits go from straight $5M limits, which included notification, to a $5M limit that is in addition to a 2,000,000 person limit for notification. 

The second change is how a breach is handled.  Through experience, we have found that a breach can be quite time consuming and very difficult.  In the prior program, we were responsible for all of the claims handling, including forensics investigation, breach notification, credit monitoring, and defense.  While the insurance was very helpful, the responsibility to handle and mitigate the claim was on the university.  The new BBR program, is just that, a breach response.  Should we have a claim, we notify Beazely and they handle all of the claim.  From the investigation to notification and credit monitoring, they handle the breach response, to the extent we want to control.  This takes much of the responsibility and time consuming activities out of our hands and puts it in the hands of the breach response professionals.  While we will still be involved, it will be more support than lead on the response.  The cost for this program was slightly higher in premium, 10%.  However, we felt that this was enough of a benefit that it was worth the additional premium.
 
If your university experiences a breach, the cost per individual involved will vary.  On our first breach it was about $38/person impacted.  This included the set up of a web address as well as a phone bank, notification letters, and dealings with several State Attorney General's offices.  This cost does not include the time that we as an institution put into it, including my operation, Legal Counsel, Communications & Marketing and Risk Management.

Our Risk Manager did an RFP for a service to assist us in a breach event and found that the extent of services provided varied greatly from one company to another.  Having an agreement set up ahead of time should save us about 15% in total costs.

You would need a service, and the insurance helps cover the cost of the service.  It is very easy to overestimate how much you can do in house and the claim may hit at the worst possible time - year end, for instance.   

I probably have given you more information than you needed but we had a pretty steep learning curve when we started. If you have any other questions please do not hesitate to contact me.  Our risk management area handles this, and they would be happy to answer questions.

Theresa

Hi Stacy,

We just finished going through this process and we now carry a policy with what we think is good coverage.  A couple of insights from my perspective: 

First, our insurance broker was invaluable in facilitating dialogue and advocating for us.  If you use a broker, my advice is to lean on them heavily.  They don't have to understand IT but ours really helped lower our rates.

Second, you need to help the insurance company understand your current IS practices and not rely on any questionnaire they give you - talk to them in person and in detail.

Finally, we made a decision to carefully question the need for several of the first-party coverages they tried to include and ended up reducing our premiums by 1/3 by eliminating some first-party coverage and relying on our broker to negotiate aggressively on our behalf.

The level of coverage is dependent on your needs and potential exposure.  One interesting piece of information is that the insurance industry is using a loss figure of up to $200 per breached record.  Our own analysis suggests the number is likely to be much less than that, but the figure is interesting.

Good luck!

Chris Gill
Chief Information Officer
Gonzaga University
(509) 313-3827

FYI - The insurance industry folks may be getting the $200 loss figure from the Ponemon Institute study which identifies the average cost of a data breach in the U.S. at $204.

 

http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2010%20Global%20CODB.pdf

 

 

 

====================================

 

Thomas Trappler, ASM

Director, UCLA Software Licensing

 

Email: trappler@oit.ucla.edu

Phone: 310-825-7516

Twitter: @ThomasTrappler

 

From: Gill, Chris [mailto:gill@ITS.GONZAGA.EDU]
Sent: Wednesday, June 13, 2012 6:24 PM
Subject: Re: Cyber Liability Insurance

 

Hi Stacy,

 

We just finished going through this process and we now carry a policy with what we think is good coverage.  A couple of insights from my perspective: 

 

First, our insurance broker was invaluable in facilitating dialogue and advocating for us.  If you use a broker, my advice is to lean on them heavily.  They don't have to understand IT but ours really helped lower our rates.

 

Second, you need to help the insurance company understand your current IS practices and not rely on any questionnaire they give you - talk to them in person and in detail.

 

Finally, we made a decision to carefully question the need for several of the first-party coverages they tried to include and ended up reducing our premiums by 1/3 by eliminating some first-party coverage and relying on our broker to negotiate aggressively on our behalf.

 

The level of coverage is dependent on your needs and potential exposure.  One interesting piece of information is that the insurance industry is using a loss figure of up to $200 per breached record.  Our own analysis suggests the number is likely to be much less than that, but the figure is interesting.

 

Good luck!

Chris Gill

Chief Information Officer

Gonzaga University

(509) 313-3827


Message from bauer.rick@gmail.com

too bad that there's not a 'safe driver' insurance discount for implementation of best practices in data security. Orgs that are loose with PII are in the same bucket as those who aren't, and the quants in the insurance house simply run the numbers and issue the ever-increasing policies.

not sure how long this will be tolerated by the orgs.

Rick Bauer, CompTIA
former CIO in academe

On , "Trappler, Thomas" <trappler@oit.ucla.edu> wrote:
>
>
>
>
>
>
>
>
> FYI - The insurance industry folks may be getting the $200 loss figure from the Ponemon Institute study which identifies the average cost of a data breach in the U.S. at $204.
>  
> http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2010%...
>  
>  
>  
>
> ====================================
>  
> Thomas Trappler, ASM
> Director, UCLA Software Licensing
>  
> Email:
> trappler@oit.ucla.edu
> Phone: 310-825-7516
> Twitter:
> @ThomasTrappler
>
>
>  
>
>
> From: Gill, Chris [mailto:gill@ITS.GONZAGA.EDU]
>
>
> Sent: Wednesday, June 13, 2012 6:24 PM
>
> Subject: Re: Cyber Liability Insurance
>
>
>
>
>  
>
> Hi Stacy,
>
>
>
>  
>
>
>
> We just finished going through this process and we now carry a policy with what we think is good coverage.  A couple of insights from my perspective: 
>
>
>
>  
>
>
>
> First, our insurance broker was invaluable in facilitating dialogue and advocating for us.  If you use a broker, my advice is to lean on them heavily.  They don't have to understand IT but ours really helped lower our rates.
>
>
>
>  
>
>
>
> Second, you need to help the insurance company understand your current IS practices and not rely on any questionnaire they give you - talk to them in person and in detail.
>
>
>
>  
>
>
>
> Finally, we made a decision to carefully question the need for several of the first-party coverages they tried to include and ended up reducing our premiums by 1/3 by eliminating some first-party coverage and relying on our broker to negotiate
> aggressively on our behalf.
>
>
>
>  
>
>
>
> The level of coverage is dependent on your needs and potential exposure.  One interesting piece of information is that the insurance industry is using a loss figure of up to $200 per breached record.  Our own analysis suggests the number
> is likely to be much less than that, but the figure is interesting.
>
>
>
>  
>
>
>
> Good luck!
>
>
>
> Chris Gill
>
> Chief Information Officer
>
>
>
> Gonzaga University
>
>
>
> (509) 313-3827
>
>
>
> gill@its.gonzaga.edu
>
>
>
>
>
>
>
>

Rick,

 

The ‘reverse underwriting’ approach used by the University of California Cyber Insurance program may be of interest and is described in the following article (http://www.insurancejournal.com/magazines/features/2011/05/02/196901.htm).  The coverage for individual instances is dependent upon meeting various standards which aids both in affordability and in driving adoption of best practices.

 

Regards,

 

David Willson, CPSM, CFA

Manager, Strategic Technology Acquisition

Office of the Chief Information Officer

University of California, Berkeley

510-643-9677

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Rick Bauer
Sent: Thursday, June 14, 2012 4:22 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Cyber Liability Insurance

 

too bad that there's not a 'safe driver' insurance discount for implementation of best practices in data security. Orgs that are loose with PII are in the same bucket as those who aren't, and the quants in the insurance house simply run the numbers and issue the ever-increasing policies.

not sure how long this will be tolerated by the orgs.

Rick Bauer, CompTIA
former CIO in academe

On , "Trappler, Thomas" <trappler@oit.ucla.edu> wrote:
>
>
>
>
>
>
>
>
> FYI - The insurance industry folks may be getting the $200 loss figure from the Ponemon Institute study which identifies the average cost of a data breach in the U.S. at $204.
>  
> http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2010%20Global%20CODB.pdf
>  
>  
>  
>
> ====================================
>  
> Thomas Trappler, ASM
> Director, UCLA Software Licensing
>  
> Email:
> trappler@oit.ucla.edu
> Phone: 310-825-7516
> Twitter:
> @ThomasTrappler
>
>
>  
>
>
> From: Gill, Chris [mailto:gill@ITS.GONZAGA.EDU]
>
>
> Sent: Wednesday, June 13, 2012 6:24 PM
>
> Subject: Re: Cyber Liability Insurance
>
>
>
>
>  
>
> Hi Stacy,
>
>
>
>  
>
>
>
> We just finished going through this process and we now carry a policy with what we think is good coverage.  A couple of insights from my perspective: 
>
>
>
>  
>
>
>
> First, our insurance broker was invaluable in facilitating dialogue and advocating for us.  If you use a broker, my advice is to lean on them heavily.  They don't have to understand IT but ours really helped lower our rates.
>
>
>
>  
>
>
>
> Second, you need to help the insurance company understand your current IS practices and not rely on any questionnaire they give you - talk to them in person and in detail.
>
>
>
>  
>
>
>
> Finally, we made a decision to carefully question the need for several of the first-party coverages they tried to include and ended up reducing our premiums by 1/3 by eliminating some first-party coverage and relying on our broker to negotiate
> aggressively on our behalf.
>
>
>
>  
>
>
>
> The level of coverage is dependent on your needs and potential exposure.  One interesting piece of information is that the insurance industry is using a loss figure of up to $200 per breached record.  Our own analysis suggests the number
> is likely to be much less than that, but the figure is interesting.
>
>
>
>  
>
>
>
> Good luck!
>
>
>
> Chris Gill
>
> Chief Information Officer
>
>
>
> Gonzaga University
>
>
>
> (509) 313-3827
>
>
>
> gill@its.gonzaga.edu
>
>
>
>
>
>
>
>

Macalester College also carries Cyber Liability insurance (1M limit; 10K deductible).  Until this year, we have routinely been required to fill out a relatively straightforward and simple security survey as part of the re-application process.  This year the company utilized a different survey source (Barbican Managing Agency Limited).  This one was more akin to a PCI SAQ-C and completing it was considerably more challenging.  (We experienced the same sort of thing with this year's financial audit).

As I would imagine is the case with many small schools, deploying the level of technology (e.g., file integrity monitoring) and culture change (e.g., mandated information security training for all employees) that would be required to answer all of these new questions in the affirmative would impose an unprecedented burden on most. Yet, if we don't, I expect the justification is now there, based on the answers, for vendors to raise rates in ways not experienced in the past.

Are others having this same experience?

Thanks,
Harry

Harry Pontiff, Ph.D., GISF
Information Security Officer
Macalester College
1600 Grand Avenue - Hum 308
St. Paul, MN 55105
Phone: (651) 696-6826
Fax: (651) 696-6778

This email may contain information which is privileged, confidential, or protected. If you are not the intended recipient, note that any disclosure, copying, distribution, or use of the contents of this message is prohibited. If you have received this email in error, please notify the sender and delete this email.


Message from bauer.rick@gmail.com

thanks, David...good info; maybe we can encourage that trend. "Safe drivers" deserve a discount.

Rick Bauer

On , David Willson <dwillson@berkeley.edu> wrote:
> Rick, The ‘reverse underwriting’ approach used by the University of California Cyber Insurance program may be of interest and is described in the following article (http://www.insurancejournal.com/magazines/features/2011/05/02/196901.htm).  The coverage for individual instances is dependent upon meeting various standards which aids both in affordability and in driving adoption of best practices. Regards, David Willson, CPSM, CFAManager, Strategic Technology AcquisitionOffice of the Chief Information OfficerUniversity of California, Berkeley510-643-9677 From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Rick Bauer
> Sent: Thursday, June 14, 2012 4:22 AM
> To: CIO@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [CIO] Cyber Liability Insurance too bad that there's not a 'safe driver' insurance discount for implementation of best practices in data security. Orgs that are loose with PII are in the same bucket as those who aren't, and the quants in the insurance house simply run the numbers and issue the ever-increasing policies.
>
> not sure how long this will be tolerated by the orgs.
>
> Rick Bauer, CompTIA
> former CIO in academe
>
> On , "Trappler, Thomas" trappler@oit.ucla.edu> wrote:
> >
> >
> >
> >
> >
> >
> >
> >
> > FYI - The insurance industry folks may be getting the $200 loss figure from the Ponemon Institute study which identifies the average cost of a data breach in the U.S. at $204.
> >  
> > http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2010%...
> >  
> >  
> >  
> >
> > ====================================
> >  
> > Thomas Trappler, ASM
> > Director, UCLA Software Licensing
> >  
> > Email:
> > trappler@oit.ucla.edu
> > Phone: 310-825-7516
> > Twitter:
> > @ThomasTrappler
> >
> >
> >  
> >
> >
> > From: Gill, Chris [mailto:gill@ITS.GONZAGA.EDU]
> >
> >
> > Sent: Wednesday, June 13, 2012 6:24 PM
> >
> > Subject: Re: Cyber Liability Insurance
> >
> >
> >
> >
> >  
> >
> > Hi Stacy,
> >
> >
> >
> >  
> >
> >
> >
> > We just finished going through this process and we now carry a policy with what we think is good coverage.  A couple of insights from my perspective: 
> >
> >
> >
> >  
> >
> >
> >
> > First, our insurance broker was invaluable in facilitating dialogue and advocating for us.  If you use a broker, my advice is to lean on them heavily.  They don't have to understand IT but ours really helped lower our rates.
> >
> >
> >
> >  
> >
> >
> >
> > Second, you need to help the insurance company understand your current IS practices and not rely on any questionnaire they give you - talk to them in person and in detail.
> >
> >
> >
> >  
> >
> >
> >
> > Finally, we made a decision to carefully question the need for several of the first-party coverages they tried to include and ended up reducing our premiums by 1/3 by eliminating some first-party coverage and relying on our broker to negotiate
> > aggressively on our behalf.
> >
> >
> >
> >  
> >
> >
> >
> > The level of coverage is dependent on your needs and potential exposure.  One interesting piece of information is that the insurance industry is using a loss figure of up to $200 per breached record.  Our own analysis suggests the number
> > is likely to be much less than that, but the figure is interesting.
> >
> >
> >
> >  
> >
> >
> >
> > Good luck!
> >
> >
> >
> > Chris Gill
> >
> > Chief Information Officer
> >
> >
> >
> > Gonzaga University
> >
> >
> >
> > (509) 313-3827
> >
> >
> >
> > gill@its.gonzaga.edu
> >
> >
> >
> >
> >
> >
> >
> >

Stacy,

In following the responses to various listserv conversations related to Cyber Liability Insurance, we have worked with a number of institutions on privacy and security and have only one piece of information to add to the good advice already offered:

The insurance company will provide you with a questionnaire. (You also want to have several conversations with the insurer.)  Please fill out the questionnaire thoroughly and candidly, because the contents of your institution's responses will be vitally important.  You will want to clarify what you are doing to protect your cyber security, AND you will want to be sure to collect information, reports, documentation on an ongoing basis that demonstrates and proves that you have been consistently executing the policies and procedures you clarified in the questionnaire.  How well you demonstrate your follow through on your policies and procedures will be excellent protection if you end up having some kind of breach.

Thanks,

Verna Lynch

 

Verna Lynch | Senior Consultant
d: 207.739.9540 | vlynch@berrydunn.com

www.berrydunn.com/consulting

 

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.