It was a letter from his wife's old community college that made Alex Deshuk particularly happy that his city had invested in cyber insurance.
As the manager of technology and innovation for the city of Mesa, Ariz., Deshuk last fall led the team that made the decision to purchase a cyber insurance policy to cover the city. Not too long afterward, Deshuk's wife received a letter from Maricopa Community Colleges, where she had taken classes two decades before, informing her that the community college's database had been hacked and records going back to her time there and beyond might be at risk. The college incident highlighted the concerns that Deshuk shares with many other IT security professionals: In the case of a major breach, aside from better security tools and tactics, what can an organization do to better protect itself? For an increasing number of organizations, it's buy cyber insurance.
“Our biggest concern was protecting the information of our citizens,” says Deshuk, adding that Mesa's policy not only limits the city's exposure in the case of a breach, but provides coverage to help assist residents if their personal information sitting on the city computers is compromised. The $5 million policy, which Mesa had underwritten last fall by ACE Group, is “fairly complicated,” says Deshuk; but, it generally offers the city protection and coverage in the case of an online exposure.
Cyber insurance policies were introduced little more than a decade ago, but have become wildly popular in just the past few years, as news of devastating (and increasingly expensive-to-rectify) exposures become the stuff of daily local and national headlines. Not many people outside of Arizona may know of the Maricopa Community Colleges record breach, but a person would have to be hiding under a rock to not have heard of the Target breach compromising the personal information of 40 million customers in late 2013. Similar high-profile breaches at Michaels, Neiman Marcus and LivingSocial and Washington state courts and many other companies and government agencies have spotlighted not only the increasing likelihood that virtually any organization may be hacked, but also how expensive cleaning up those incidents can be. Case in point: Target probably will have to pay out as much as $2 billion just for credit monitoring provided to customers, according to Vormetric.
While Mesa was already far along in its process when news of the Target breach broke, Deshuk says, “Those [major] breaches made it easier for us to move forward more quickly. When you think about it, the cost per million [dollars of coverage] is relatively inexpensive compared to other liability insurance in what it covers.”