A couple of discussions at Networkshop this week have raised the question of cyber-insurance, and whether this might be useful to universities and colleges. To think about that I split the question into three:
- What sort of risks does insurance cover, and are they things that are high on your risk register?
- If an incident of that kind does happen, is a money payment (which is what insurance policies generally provide) going to be useful in making your position better?
- Are there other ways you could deal with those risks, and how to their costs/benefits compare?
For example a couple of recent reports have looked at cyber-insurance from the perspective of businesses and law firms. Those suggest that insurance is most commonly used to cover the costs incurred under data breach notification laws, where organisations are required to notify individuals if their personal data have been exposed as a result of an incident. In those cases there are obvious money costs – for example postage and perhaps paying for credit reports – so an insurance payout might well be helpful. And it is possible that universities might suffer that kind of breach, though preventive approaches such as PCI-DSS might be a more effective way to reduce the risk.
However the articles also suggest that insurance can be used to cover liability to third parties when paid hosting services suffer incidents such as website defacement. That’s an area where I suspect damage to universities is more likely to be reputational than financial, so an insurance payment might be less help in solving the problem. And, as the articles note, some of these may already be covered by existing liability and professional indemnity insurances anyway. Having an effective incident response plan to minimise the damage from such incidents may be an effective alternative approach.
The other issue with cyber-insurance seems to be that, although products have existed for a decade, there haven’t been many policies taken out or claims made under them. That probably means that neither purchasers nor insurers have much data on what the actual risks are, so policy prices are less likely to reflect the true risk/benefit balance than for other, better understood, areas of insurance [Sarah Clarke has an excellent discussion of this]. That situation may be even worse for universities, as insurers’ data are likely to reflect commercial businesses where IT operations and risk calculations may be very different to ours. If you are considering such insurance, you may get a better deal by limiting it to areas of operation that are most similar to businesses, where the pricing is more likely to be accurate.