The breach of “deeply personal information” on past, current and prospective members of the federal government has given many insurance industry representatives pause on how to best protect public and small commercial bodies from cyber attacks.
Hackers with links to China accessed information submitted to US intelligence and military personnel on the mental illnesses, drug and alcohol use, past arrests, bankruptcies and other sensitive material of nearly anyone who has applied for or received security clearance from the government.
Officials confirmed the June 8 breach of the Office of Personnel Management late last week, saying there was “a high degree of confidence that…systems containing information related to the background investigations of current, former and prospective federal government employees, and those for whom a federal background investigation was conducted, may have been exfiltrated.”
The White House confirmed that the hackers were tied to China, which could compromise the victims’ ability to continue in their positions.
“[The Chinese hack] makes it very hard for any of those people to function as an intelligence officer,” Joel Brenner, a former US counterintelligence official told the Associated Press. “The database also tells the Chinese an enormous amount of information about almost everyone with a security clearance. That’s a gold mine. It helps you approach and recruit spies.”
More than 4 million people had been investigated for a security clearance as of October 2014, according to government records, and officials believe nearly everyone had their data exposed in the breach. The White House is currently putting the number of compromised records at between 9 million and 14 million, going back to the 1980s.
For insurance industry professionals, the breach of the federal government was not entirely unexpected. However, it helps underline a point that many proponents of cyber liability insurance and other security policies have tried to make repeatedly: no one is safe, and public entities and small private businesses are particularly at risk.
“What this shows is that no one organization can be fully immune to cyber risk – whether they are a public or private sector body,” said Jack Elliott-Frey, a broker with SafeOnline LLP. “Public sector bodies often have smaller budgets than private businesses of the same size, and due to that are forced to spread it across more sectors of the business.
“Ultimately this means that security spending can take a backseat, and with public sector bodies such as local governments or healthcare providers, this can prove to be problematic as they hold plenty of valuable personally identifiable information.”
Personally identifiable information is the most frequently exposed data in a breach, according to a recent study performed by security firm NetDiligence, and healthcare and small businesses make up the bulk of firms breached.
These are also firms most likely to cite price as a reason not to purchase a cyber policy. However, while cyber insurance premiums can be expensive, they are typically much less costly than many clients believe. In general, product premiums are commensurate with client risk, said Michael Palotay, senior vice president of underwriting at
NAS Insurance Services.
“I think [potential clients] would be surprised at how cheap it is,” Palotay told
Insurance Business. “When the coverage is properly discussed and their exposure is explained in a real-world scenario, it’s usually a no-brainer for the insured.”
Specifically speaking, if each compromised record costs $10 to remediate and 100,000 records are breached, the firm is looking at $100,000 just to meet regulatory standards of reporting and addressing the damage.
In comparison to a $4,000 annual policy, that’s a good deal indeed.
