By Jennifer Jasinski, Director of Business Services and Risk Management, Arkansas State University – Jonesboro and Glenn Klinksiek, Knowledge Center Content Manager, URMIA
URMIA surveyed its members in March 2015 to find out what the current practices are for purchasing cyber liability insurance (Cyber) in higher education. The goal of this survey was to provide the URMIA membership with an understanding of:
- The frequency that URMIA members purchase Cyber
- The limits and deductibles chosen by members and the reasoning behind these choices
- The rationale behind the purchasing decision
- Differences in Cyber purchased among colleges and universities, between public and private Institutions, and between smaller and larger institutions
- Show whether URMIA members are purchasing Cyber more frequently now than in recent years
From the 109 survey responses, the key findings of the survey are:
- About 68 percent of respondents purchase Cyber with about 70 percent having done so within the last three years. Those who do not purchase Cyber are re-evaluating their decision.
- Respondents from private institutions purchase Cyber more often than those from public institutions, while smaller institutions purchase Cyber more often than larger ones. Private institutions purchase higher limits than public institutions, as do larger institutions than smaller.
- Most institutions that purchase Cyber have limits of $5 million or less and deductibles of $50,000 or less.
- In their purchasing decisions, institutions value insurer coverage of the cost of data breach notification and credit monitoring and assistance with complying with notification laws for multiple jurisdictions.
- Nearly a third of the respondents have filed a claim under their Cyber and have been satisfied with the insurer's response.
Cyber Liability Insurance Description
Cyber liability insurance covers a variety of both liability (3rd party) and property (1st party) losses that may result when a college or university engages in various electronic activities including collecting data within its internal electronic network, especially liability for a data breach where sensitive information, such as Social Security or credit card numbers, is exposed or stolen. Cyber may cover a variety of expenses associated with data breaches, including notification costs, credit monitoring, costs to defend claims by state regulators, fines and penalties, and loss resulting from identity theft. In addition, Cyber may cover liability arising from website media content, as well as property exposures from: (a) business interruption, (b) data loss/destruction, (c) computer fraud, (d) funds transfer loss, and (e) cyber extortion.
Survey Response Demographics
Large public institutions represent the largest portion of respondents to the survey. Responses came from about 50 percent more public institutions than private; publics represented 62 percent (66) of the responses while privates were 38 percent (41). Nearly half the responses came from institutions (48.1 percent, or 52) with enrollments of over 15,000 students. Institutions with enrollments of under 5,000 students represented 21 per cent (23), and those with enrollments of 5,000-10,000 and 10,000 – 15,000 represented about 15 percent of the responses each.
Why Institutions Purchase Cyber Liability Insurance
About two thirds of the respondents purchase Cyber, while a third do not.
A large majority of the private institutions responding purchase Cyber, while about 60 percent of the public institutions responding purchase Cyber.
The survey results indicate smaller institutions purchase Cyber, while large institutions do so to a lesser extent.
Institutions that did not purchase this insurance were asked to indicate the reasons they did not. Most responses indicated “other reasons” for doing so than the options listed in the survey. All but five of these indicated they are in the process of reevaluating their decision not to purchases this insurance. The other reasons for not purchasing are:
- Still exploring how our state's sovereign immunity limits (or doesn't limit) our liability.
- Need to better understand the coverage to make sure it is cost effective for us as opposed to retaining this risk.
- Still need to implement some information technology (IT) policies and become PCI compliant to make it feasible. Otherwise, the limited coverage is not worth the cost.
- IT has felt that the application and underwriting process is too difficult in our highly decentralized IT environment.
- The purchase of commercial Cyber insurance has not been requested/recommended by senior IT leadership at our institution at this time.
The institutions responding to the survey that purchase Cyber, about 70 percent have purchased it in the last three years.
Those purchasing Cyber do so for a number of reasons as shown in the chart below.
Other reasons for purchasing this insurance include:
- Provides an allocation method for cost under the retention
- Required by some contracts for IT related services or development provided to other entities
- HIPPA coverage
- To pay regulatory fines and penalties
Institutions purchase a range of Cyber limits to more than $20 million, although about two-thirds purchase $5 million or less.
Private institutions purchase somewhat higher limits than public institutions.
Institutions with larger enrollments tend to purchase higher limits than smaller institutions.
The most common determinant cited for purchasing the insurance limits responders have is the estimated liability for a data breach, about twice as often as the estimated cost under another type of data breach. About a quarter of the time, senior management or budget is a factor in determining the limit selected.
About 70 percent of the respondents have Cyber policies that have lower limits for certain types of losses. The types of losses that are most often subject to lower limits are notification costs, crisis management and regulatory costs.
About the same number of respondents have policies with losses subject to a single deductible as compared to those with more than one deductible.
Most respondents have deductibles of $50,000 or less (53 percent).
Public university respondents tended to have higher deductibles than private universities.
Institutions with larger enrollments tended to have larger deductibles.
Experience with Claims under Cyber
Nearly a third of the institutions reported having made a claim under their Cyber policy.
Several reported having more than one claim in the last three years.
Respondents have been satisfied with the insurer’s handling of their largest claim.
Cyber Recommendations from Survey Respondents
In response to a request that respondents list one suggestion they would make to any college or university considering whether to purchase Cyber, 68 offered the following recommendations. Of these, the most frequently recommended actions (about 10 times each) were understanding Cyber coverage, involving IT and encouraging others to purchase the insurance.
- Be clear about the risk and what the cover will provide.
- Have your IT department help complete the application and ask carrier for clarification on any questions so everyone is on the same page. We recently found out that our definition of PCI DSS requirements wasn't the carrier's definition.
- Buy it!
- Have a Chief Information Security Officer and a solid plan for breach mitigation.
- Consider your exposure. Can you afford the notification costs?
- Decide how much risk tolerance to accept up front, and how much accountability to assign to responsible units when a loss occurs.
- Evaluate the companies (often FREE) loss control services. Loss control services such as vulnerability scans, IP blocking, online training and legal support.
- Breach coach is essential.
- Buying insurance does not reduce the probability of cyber breach losses.
- Construct an RFP for brokerage services, not specific coverage limits and deductibles.
- Cyber is not traditional insurance -- you are purchasing mitigation management.
- Determine your highest priority risks and understand the sublimits that apply to your identified risks.
- Encrypt all devices.
- Evaluate the financial impact to the university in the event of a worst case scenario.
- Get multiple quotes.
- Get your IT people on board with you.
- Go for a moderate-to-high deductible and catastrophic coverage to get high limits at an affordable price.
- Have a good plan to deal with the event before you purchase.
- It is highly likely that Information Privacy and Security insurance will soon be an expectation of regulators.
- It is time, and in the compliance era, it is necessary.
- Look at ancillary services offered - especially crisis response, credit monitoring etc.
- Maintain control over deciding whether or not the incident requires you by law to notify, and don't notify if not required by law. Take your time to figure this out.
- Make sure the policy includes cyber terrorism coverage.
- Make sure the notification sublimit is adequate.
- Management would question why they haven't purchased it.
- Market and compare coverage for privacy breach response services.
- Not if but when there will be a problem.
- Reach out to other universities who have Cyber Insurance and get their advice.
- The help with legal notification requirements is invaluable.
- The product is currently evolving; make sure your broker has the expertise to be on the forefront. Also, try to get "war" risk excluded.
- You need to understand the philosophical approach your institution would take to manage a breach before choosing an insurance solution.
Previous Article | Insights Home | Next Article