When Barry University officials discovered their network had become infected with malware that was making callbacks to a command center in Russia in 2013, an external security contractor was hired to conduct a forensic analysis of the incident, and intrusion prevention detection software was purchased to monitor the system.
The cost of recovering from the cyberattack could have run into the millions of dollars—except that the university, located in Miami, had already bought cyber-liability insurance. As a result, the university only had to cover 16 percent of the total cost of the data breach, along with a deductible of less than $50,000.
Hence, says Hernan Londono, associate chief information officer for the division of information technology, that insurance was crucial to pay for everything from a forensics investigation to notifiying people whose records were exposed.
Cyberliability insurance is becoming more widely used in higher ed because of the considerable rise in the number of attempted data breaches at colleges and universities.
“The cost of a breach is exorbitant, and beyond the costs, a typical university is not going to know exactly how to respond,” says Matt Donovan, national underwriting leader for technology and privacy at Hiscox, a national insurance company. In addition to cyberliability insurance, Hiscox offers a breach coach and a 24-hour hotline manned by a law firm to help organizations navigate the steps to take after a cyberattack.
Quinnipiac University in Connecticut purchased this insurance in 2010, paying $80,000 to $100,000 annually for the policy, which provides $5 million in liability coverage, says Brian Kelly, chief information security officer. The policy covers the expenses after a breach has been discovered, including notification and response.
While many institutions have not purchased cyberliability insurance, higher ed leaders should seriously consider the benefits of such policies to offset data breach costs, says David Katz, head of the privacy and information security practice group at Nelson Mullins Riley & Scarborough LLP in Atlanta. “Good governance means adequate and appropriate insurance coverage. Failure of a major university system to be insured in the area of cyberrisk would be virtually inexcusable.”