Main Nav

Posted by sslocum on June 13, 2012

Greetings,

 

How many of your institutions carry Cyber Liability Insurance?  If not, why not?

 

Many thanks for your help.

 

Regards,

 

Stacy

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Stacy,

I am glad you posted this question because we are trying to determine if the risk probability warrants the cost.

Neil Fay

CTO, Hood College

 

Posted by: neilfay on June 13, 2012
Yes, we do.  Covering our bases in the event of an incident.  Cost was not prohibitive
*********************************************
Delores K. Barton
Vice President & Chief Information Officer
Spelman College
350 Spelman Lane, SW, Box 141
Atlanta, Georgia 30314-4399
(404) 270-5376 / FAX (404) 270-5399



Posted by: dbartoncio on June 13, 2012

Stacy,

We carry the coverage, if we were to have an incident and have to offer credit monitoring it can get costly very quickly!

Bill

 

Bill Scorse

Vice-President of Administration and Chief Information Officer

Drury University

900 N. Benton

Burnham Hall #107

Springfield, MO 65802

417.873.7214 Office

417.844.4851 Cell

Bscorse@Drury.edu

Visit us at www.Drury.edu

 

P Please consider our environmental responsibility before printing this e-mail

 

 

 

 

Posted by: bscorse on June 13, 2012

I suspect that many (or most or all?) public institutions self-insure just about everything, and hence don’t have insurance policies with insurance carriers in the traditional sense. Cyber Liability insurance would be no different.

 

Jerry

----------------------------------------------------------------------------------------
Jerry Bryan • Vice President of Information Services • Pellissippi State • 10915 Hardin Valley Road • P.O. Box 22990 • Knoxville, TN 37933-0990

Voice: 865 539-7127 •  Fax: 865 539-7653 •  E-mail: jbryan@pstcc.edu

 

 

Posted by: jbryan on June 13, 2012

Clark University carries Cyber Liability insurance.

 

Pennie

 

 

 

Pennie S. Turgeon | Vice President for Information Technology and CIO
Clark University | 950 Main Street | Worcester, MA | 01610-1477
Office: 508-421-3813 | fax: 508-793-8823 | e-mail: pturgeon@clarku.edu

 

P Please don't print this e-mail unless you really need to

 

 

 

 

Posted by: Pturgeon on June 13, 2012

Creighton University also carried cyber liability insurance

 

Brian

 

Posted by: youngbra on June 13, 2012
As does Olin College.
 
Joanne
 
Posted by: joanne.kossuth on June 13, 2012

Albright College has this insurance as well.

 

Dana

 

Dana German

Chief Technology Officer

Information Technology Services

Albright College

610.921.7225

 

 

Posted by: dgerman on June 13, 2012

For all those of you who carry this insurance, what is the extent of the coverage?

 

Dr. Robert Paterson

Vice President, Information Technology, Planning & Research

Molloy College

Rockville Centre, NY 11571

516-678-5000 ex 6443

 

Posted by: rpaterson on June 13, 2012

And a quick addition: S was there a “cost per record lost” that was used to help decide on the coverage level?

 

 

Thanks,

Stacy

 

Posted by: sslocum on June 13, 2012
My standard response: 
Oakland University has purchased Cyber Liability including data coverage for a number of years.  We began our Cyber Liability purchase on July 1, 2005, with AIG.  At that time, the policy was very narrow.  However, as the market for cyber insurance grew, so did our coverage.  Until June 30, 2010, we remained with Chartis (AIG).  Our limits were $5,000,000 in both occurrence and aggregate, with a $50,000 deductible. 
 
Last year we decided to go with a new program being offered by Beazely Insurance.  It is called the Beazely Breach Response program.  Our limits and deductible remained the same.  There were two major changes in the policy.  The first is that the limits go from straight $5M limits, which included notification, to a $5M limit that is in addition to a 2,000,000 person limit for notification. 

The second change is how a breach is handled.  Through experience, we have found that a breach can be quite time consuming and very difficult.  In the prior program, we were responsible for all of the claims handling, including forensics investigation, breach notification, credit monitoring, and defense.  While the insurance was very helpful, the responsibility to handle and mitigate the claim was on the university.  The new BBR program, is just that, a breach response.  Should we have a claim, we notify Beazely and they handle all of the claim.  From the investigation to notification and credit monitoring, they handle the breach response, to the extent we want to control.  This takes much of the responsibility and time consuming activities out of our hands and puts it in the hands of the breach response professionals.  While we will still be involved, it will be more support than lead on the response.  The cost for this program was slightly higher in premium, 10%.  However, we felt that this was enough of a benefit that it was worth the additional premium.
 
If your university experiences a breach, the cost per individual involved will vary.  On our first breach it was about $38/person impacted.  This included the set up of a web address as well as a phone bank, notification letters, and dealings with several State Attorney General's offices.  This cost does not include the time that we as an institution put into it, including my operation, Legal Counsel, Communications & Marketing and Risk Management.

Our Risk Manager did an RFP for a service to assist us in a breach event and found that the extent of services provided varied greatly from one company to another.  Having an agreement set up ahead of time should save us about 15% in total costs.

You would need a service, and the insurance helps cover the cost of the service.  It is very easy to overestimate how much you can do in house and the claim may hit at the worst possible time - year end, for instance.   

I probably have given you more information than you needed but we had a pretty steep learning curve when we started. If you have any other questions please do not hesitate to contact me.  Our risk management area handles this, and they would be happy to answer questions.

Theresa

Posted by: rowe on June 13, 2012
Hi Stacy,

We just finished going through this process and we now carry a policy with what we think is good coverage.  A couple of insights from my perspective: 

First, our insurance broker was invaluable in facilitating dialogue and advocating for us.  If you use a broker, my advice is to lean on them heavily.  They don't have to understand IT but ours really helped lower our rates.

Second, you need to help the insurance company understand your current IS practices and not rely on any questionnaire they give you - talk to them in person and in detail.

Finally, we made a decision to carefully question the need for several of the first-party coverages they tried to include and ended up reducing our premiums by 1/3 by eliminating some first-party coverage and relying on our broker to negotiate aggressively on our behalf.

The level of coverage is dependent on your needs and potential exposure.  One interesting piece of information is that the insurance industry is using a loss figure of up to $200 per breached record.  Our own analysis suggests the number is likely to be much less than that, but the figure is interesting.

Good luck!

Chris Gill
Chief Information Officer
Gonzaga University
(509) 313-3827

Posted by: chrisgill on June 13, 2012

FYI - The insurance industry folks may be getting the $200 loss figure from the Ponemon Institute study which identifies the average cost of a data breach in the U.S. at $204.

 

http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2010%20Global%20CODB.pdf

 

 

 

====================================

 

Thomas Trappler, ASM

Director, UCLA Software Licensing

 

Email: trappler@oit.ucla.edu

Phone: 310-825-7516

Twitter: @ThomasTrappler

 

From: Gill, Chris [mailto:gill@ITS.GONZAGA.EDU]
Sent: Wednesday, June 13, 2012 6:24 PM
Subject: Re: Cyber Liability Insurance

 

Hi Stacy,

 

We just finished going through this process and we now carry a policy with what we think is good coverage.  A couple of insights from my perspective: 

 

First, our insurance broker was invaluable in facilitating dialogue and advocating for us.  If you use a broker, my advice is to lean on them heavily.  They don't have to understand IT but ours really helped lower our rates.

 

Second, you need to help the insurance company understand your current IS practices and not rely on any questionnaire they give you - talk to them in person and in detail.

 

Finally, we made a decision to carefully question the need for several of the first-party coverages they tried to include and ended up reducing our premiums by 1/3 by eliminating some first-party coverage and relying on our broker to negotiate aggressively on our behalf.

 

The level of coverage is dependent on your needs and potential exposure.  One interesting piece of information is that the insurance industry is using a loss figure of up to $200 per breached record.  Our own analysis suggests the number is likely to be much less than that, but the figure is interesting.

 

Good luck!

Chris Gill

Chief Information Officer

Gonzaga University

(509) 313-3827


Posted by: trappler on June 14, 2012
Message from bauer.rick@gmail.com

too bad that there's not a 'safe driver' insurance discount for implementation of best practices in data security. Orgs that are loose with PII are in the same bucket as those who aren't, and the quants in the insurance house simply run the numbers and issue the ever-increasing policies.

not sure how long this will be tolerated by the orgs.

Rick Bauer, CompTIA
former CIO in academe

On , "Trappler, Thomas" <trappler@oit.ucla.edu> wrote:
>
>
>
>
>
>
>
>
> FYI - The insurance industry folks may be getting the $200 loss figure from the Ponemon Institute study which identifies the average cost of a data breach in the U.S. at $204.
>  
> http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2010%...
>  
>  
>  
>
> ====================================
>  
> Thomas Trappler, ASM
> Director, UCLA Software Licensing
>  
> Email:
> trappler@oit.ucla.edu
> Phone: 310-825-7516
> Twitter:
> @ThomasTrappler
>
>
>  
>
>
> From: Gill, Chris [mailto:gill@ITS.GONZAGA.EDU]
>
>
> Sent: Wednesday, June 13, 2012 6:24 PM
>
> Subject: Re: Cyber Liability Insurance
>
>
>
>
>  
>
> Hi Stacy,
>
>
>
>  
>
>
>
> We just finished going through this process and we now carry a policy with what we think is good coverage.  A couple of insights from my perspective: 
>
>
>
>  
>
>
>
> First, our insurance broker was invaluable in facilitating dialogue and advocating for us.  If you use a broker, my advice is to lean on them heavily.  They don't have to understand IT but ours really helped lower our rates.
>
>
>
>  
>
>
>
> Second, you need to help the insurance company understand your current IS practices and not rely on any questionnaire they give you - talk to them in person and in detail.
>
>
>
>  
>
>
>
> Finally, we made a decision to carefully question the need for several of the first-party coverages they tried to include and ended up reducing our premiums by 1/3 by eliminating some first-party coverage and relying on our broker to negotiate
> aggressively on our behalf.
>
>
>
>  
>
>
>
> The level of coverage is dependent on your needs and potential exposure.  One interesting piece of information is that the insurance industry is using a loss figure of up to $200 per breached record.  Our own analysis suggests the number
> is likely to be much less than that, but the figure is interesting.
>
>
>
>  
>
>
>
> Good luck!
>
>
>
> Chris Gill
>
> Chief Information Officer
>
>
>
> Gonzaga University
>
>
>
> (509) 313-3827
>
>
>
> gill@its.gonzaga.edu
>
>
>
>
>
>
>
>
Posted by: listserv-anon on June 14, 2012

Rick,

 

The ‘reverse underwriting’ approach used by the University of California Cyber Insurance program may be of interest and is described in the following article (http://www.insurancejournal.com/magazines/features/2011/05/02/196901.htm).  The coverage for individual instances is dependent upon meeting various standards which aids both in affordability and in driving adoption of best practices.

 

Regards,

 

David Willson, CPSM, CFA

Manager, Strategic Technology Acquisition

Office of the Chief Information Officer

University of California, Berkeley

510-643-9677

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Rick Bauer
Sent: Thursday, June 14, 2012 4:22 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Cyber Liability Insurance

 

too bad that there's not a 'safe driver' insurance discount for implementation of best practices in data security. Orgs that are loose with PII are in the same bucket as those who aren't, and the quants in the insurance house simply run the numbers and issue the ever-increasing policies.

not sure how long this will be tolerated by the orgs.

Rick Bauer, CompTIA
former CIO in academe

On , "Trappler, Thomas" <trappler@oit.ucla.edu> wrote:
>
>
>
>
>
>
>
>
> FYI - The insurance industry folks may be getting the $200 loss figure from the Ponemon Institute study which identifies the average cost of a data breach in the U.S. at $204.
>  
> http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2010%20Global%20CODB.pdf
>  
>  
>  
>
> ====================================
>  
> Thomas Trappler, ASM
> Director, UCLA Software Licensing
>  
> Email:
> trappler@oit.ucla.edu
> Phone: 310-825-7516
> Twitter:
> @ThomasTrappler
>
>
>  
>
>
> From: Gill, Chris [mailto:gill@ITS.GONZAGA.EDU]
>
>
> Sent: Wednesday, June 13, 2012 6:24 PM
>
> Subject: Re: Cyber Liability Insurance
>
>
>
>
>  
>
> Hi Stacy,
>
>
>
>  
>
>
>
> We just finished going through this process and we now carry a policy with what we think is good coverage.  A couple of insights from my perspective: 
>
>
>
>  
>
>
>
> First, our insurance broker was invaluable in facilitating dialogue and advocating for us.  If you use a broker, my advice is to lean on them heavily.  They don't have to understand IT but ours really helped lower our rates.
>
>
>
>  
>
>
>
> Second, you need to help the insurance company understand your current IS practices and not rely on any questionnaire they give you - talk to them in person and in detail.
>
>
>
>  
>
>
>
> Finally, we made a decision to carefully question the need for several of the first-party coverages they tried to include and ended up reducing our premiums by 1/3 by eliminating some first-party coverage and relying on our broker to negotiate
> aggressively on our behalf.
>
>
>
>  
>
>
>
> The level of coverage is dependent on your needs and potential exposure.  One interesting piece of information is that the insurance industry is using a loss figure of up to $200 per breached record.  Our own analysis suggests the number
> is likely to be much less than that, but the figure is interesting.
>
>
>
>  
>
>
>
> Good luck!
>
>
>
> Chris Gill
>
> Chief Information Officer
>
>
>
> Gonzaga University
>
>
>
> (509) 313-3827
>
>
>
> gill@its.gonzaga.edu
>
>
>
>
>
>
>
>

Posted by: dwillson@berkel... on June 15, 2012
Macalester College also carries Cyber Liability insurance (1M limit; 10K deductible).  Until this year, we have routinely been required to fill out a relatively straightforward and simple security survey as part of the re-application process.  This year the company utilized a different survey source (Barbican Managing Agency Limited).  This one was more akin to a PCI SAQ-C and completing it was considerably more challenging.  (We experienced the same sort of thing with this year's financial audit).

As I would imagine is the case with many small schools, deploying the level of technology (e.g., file integrity monitoring) and culture change (e.g., mandated information security training for all employees) that would be required to answer all of these new questions in the affirmative would impose an unprecedented burden on most. Yet, if we don't, I expect the justification is now there, based on the answers, for vendors to raise rates in ways not experienced in the past.

Are others having this same experience?

Thanks,
Harry

Harry Pontiff, Ph.D., GISF
Information Security Officer
Macalester College
1600 Grand Avenue - Hum 308
St. Paul, MN 55105
Phone: (651) 696-6826
Fax: (651) 696-6778

This email may contain information which is privileged, confidential, or protected. If you are not the intended recipient, note that any disclosure, copying, distribution, or use of the contents of this message is prohibited. If you have received this email in error, please notify the sender and delete this email.


Posted by: hpontiff on June 15, 2012
Message from bauer.rick@gmail.com

thanks, David...good info; maybe we can encourage that trend. "Safe drivers" deserve a discount.

Rick Bauer

On , David Willson <dwillson@berkeley.edu> wrote:
> Rick, The ‘reverse underwriting’ approach used by the University of California Cyber Insurance program may be of interest and is described in the following article (http://www.insurancejournal.com/magazines/features/2011/05/02/196901.htm).  The coverage for individual instances is dependent upon meeting various standards which aids both in affordability and in driving adoption of best practices. Regards, David Willson, CPSM, CFAManager, Strategic Technology AcquisitionOffice of the Chief Information OfficerUniversity of California, Berkeley510-643-9677 From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Rick Bauer
> Sent: Thursday, June 14, 2012 4:22 AM
> To: CIO@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [CIO] Cyber Liability Insurance too bad that there's not a 'safe driver' insurance discount for implementation of best practices in data security. Orgs that are loose with PII are in the same bucket as those who aren't, and the quants in the insurance house simply run the numbers and issue the ever-increasing policies.
>
> not sure how long this will be tolerated by the orgs.
>
> Rick Bauer, CompTIA
> former CIO in academe
>
> On , "Trappler, Thomas" trappler@oit.ucla.edu> wrote:
> >
> >
> >
> >
> >
> >
> >
> >
> > FYI - The insurance industry folks may be getting the $200 loss figure from the Ponemon Institute study which identifies the average cost of a data breach in the U.S. at $204.
> >  
> > http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2010%...
> >  
> >  
> >  
> >
> > ====================================
> >  
> > Thomas Trappler, ASM
> > Director, UCLA Software Licensing
> >  
> > Email:
> > trappler@oit.ucla.edu
> > Phone: 310-825-7516
> > Twitter:
> > @ThomasTrappler
> >
> >
> >  
> >
> >
> > From: Gill, Chris [mailto:gill@ITS.GONZAGA.EDU]
> >
> >
> > Sent: Wednesday, June 13, 2012 6:24 PM
> >
> > Subject: Re: Cyber Liability Insurance
> >
> >
> >
> >
> >  
> >
> > Hi Stacy,
> >
> >
> >
> >  
> >
> >
> >
> > We just finished going through this process and we now carry a policy with what we think is good coverage.  A couple of insights from my perspective: 
> >
> >
> >
> >  
> >
> >
> >
> > First, our insurance broker was invaluable in facilitating dialogue and advocating for us.  If you use a broker, my advice is to lean on them heavily.  They don't have to understand IT but ours really helped lower our rates.
> >
> >
> >
> >  
> >
> >
> >
> > Second, you need to help the insurance company understand your current IS practices and not rely on any questionnaire they give you - talk to them in person and in detail.
> >
> >
> >
> >  
> >
> >
> >
> > Finally, we made a decision to carefully question the need for several of the first-party coverages they tried to include and ended up reducing our premiums by 1/3 by eliminating some first-party coverage and relying on our broker to negotiate
> > aggressively on our behalf.
> >
> >
> >
> >  
> >
> >
> >
> > The level of coverage is dependent on your needs and potential exposure.  One interesting piece of information is that the insurance industry is using a loss figure of up to $200 per breached record.  Our own analysis suggests the number
> > is likely to be much less than that, but the figure is interesting.
> >
> >
> >
> >  
> >
> >
> >
> > Good luck!
> >
> >
> >
> > Chris Gill
> >
> > Chief Information Officer
> >
> >
> >
> > Gonzaga University
> >
> >
> >
> > (509) 313-3827
> >
> >
> >
> > gill@its.gonzaga.edu
> >
> >
> >
> >
> >
> >
> >
> >
Posted by: listserv-anon on June 15, 2012

Stacy,

In following the responses to various listserv conversations related to Cyber Liability Insurance, we have worked with a number of institutions on privacy and security and have only one piece of information to add to the good advice already offered:

The insurance company will provide you with a questionnaire. (You also want to have several conversations with the insurer.)  Please fill out the questionnaire thoroughly and candidly, because the contents of your institution's responses will be vitally important.  You will want to clarify what you are doing to protect your cyber security, AND you will want to be sure to collect information, reports, documentation on an ongoing basis that demonstrates and proves that you have been consistently executing the policies and procedures you clarified in the questionnaire.  How well you demonstrate your follow through on your policies and procedures will be excellent protection if you end up having some kind of breach.

Thanks,

Verna Lynch

 

Verna Lynch | Senior Consultant
d: 207.739.9540 | vlynch@berrydunn.com

www.berrydunn.com/consulting

 

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Posted by: vernalynch on June 27, 2012
Post a Comment

Research and Publications

Conferences and Events

Career Development

Focus Areas and Initiatives

Connect and Contribute

About EDUCAUSE

Close

 


Current Issue
March/April 2013
EDUCAUSE Review

Publications

Research

Close


Annual Conference
October 15–18, 2013
Save the date!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

See All Events

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center

Find or Post a Job

Leadership and Management Programs

EDUCAUSE Institute
Advanced Programs
Project Management

 

Fellowships and Awards

Fellowships
Awards Programs

Getting Involved

Mentoring
Volunteer
Speak at an Event

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

Advance Your Career

 

Close

Latest Topics

EDUCAUSE organizes its efforts around three IT Focus Areas

 

Enterprise and Infrastructure

Enterprise and
Infrastructure

Policy and Security

Policy and
Security

Teaching and Learning

Teaching and
Learning

 

Join These Programs If Your Focus Is

Close

From the Blogs
The Role of Campus Leadership in Ensuring IT Accessibility
by
Diana Oblinger

Find Others

Share Ideas

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

Create Your Profile

 

Close

2013 Strategic Priorities

  • Connected Learning
  • Enterprise IT
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.
 

Discover Membership