With data breaches and other cyber-compromises so prevalent in seemingly every vertical market, it stands to reason that the government sector would be more proactive about obtaining cyber-insurance. But this isn’t the case: A 2015 survey by the National Association of State Chief Information Officers revealed that only 19 percent of government agencies had signed up for cyber-insurance coverage. And government agencies, according to the Ponemon Institute, have been among the slowest adopters of cyber-insurance; those in the private sector, such as financial firms and retailers, appear to be far more proactive than players on the government side in seeking insurance coverage for cyber-troubles.
MSPs owe it to their government clients to try to turn the tide. For one thing, governments have such a varied spate of systems and applications that could make sustaining and recovering from a data breach a very arduous process. Even smaller municipal governments have multiple networks that link their various applications, devices and fleets (i.e., police and fire), as well as payment systems used to collect taxes and other monies due them.
Just as importantly, insurance companies and their partners (e.g., forensics and credit reporting services, to name a few) can do more for the government entities for which they write policies than merely offsetting the tab they run up for a data breach. They can also offer risk management advice to complement yours and assist with incident response exercises. Some can tack on coverage for physical cyber-risks, like an attack on a local utility.
Government Cyber-Insurance Imperatives
In selling your government clients on the idea of cyber-insurance, it’s important to point out that as with other types of insurance companies—automobile, home, life—policies and coverage differ from player to player. Advise them that no matter which company they go with, there are a few imperatives worth insisting on.
One such imperative is coverage for unencrypted media—a potential loss some policies don’t cover, but no municipal government should go without. Why—or more accurately, why not? It’s just too much of a risk. For example, suppose a municipal government employee takes home an unencrypted flash drive, the flash drive is lost or stolen, and a data breach results. Clients would want to be covered for the loss, unencrypted or not.
Coverage for nefarious acts by employees—for instance, an intentional compromise of the network by someone who absconds with the network encryption keys—is equally important. Under some policies, an act like this wouldn’t be considered a cyber-breach, although it should.
It’s equally important to emphasize the importance of selecting a cyber-insurance policy with a retroactive date (ideally, some experts say, a minimum of two years prior to the effective date) and an extension beyond its life. This is because it’s common for victims of data breaches—government victims included—to learn about these incidents several weeks or even many months after they have occurred.
One last caveat: Even after you’ve convinced government clients to opt for cyber-insurance, don’t let them use it as an excuse for neglecting to engage you to help them design and implement a comprehensive IT security program. No cyber-insurance company will write a policy unless the potential insured is taking concrete action and following best practices to shore up the security of its data and systems.
And that, of course, is where you come in. Cyber-insurance benefits government clients—and MSPs themselves.