Insuring Uncle Sam’s cyber risk

The insurance sector needs to have panel members that are already cleared and approved by the DoD in advance of a cyber incident being reported and arguably before coverages are agreed upon within the four corners of an insurance policy.

uncle sammy
James Montgomery Flagg

Over the past two months, I have received questions from insurance brokers about what capabilities are at my disposal to assist them support the US government defense contractor community. One consistent theme observed is a lack of “knowing” whether the panel firms – those organizations with pre-negotiated rates to support the carrier or broker – have staff with security clearances. Insurance entities are highly predisposed to assessing what credit card data or healthcare data resides on the insured’s system.

A little background to provide context

While these are important matters to be sure, these same data sets are now incorporated into the National Archives and Records Administration (NARA) Registry for Controlled Unclassified Information (CUI). So why should this matter to you? It may not apply at all. However, if your organization sells technology goods and services to the US government, there is an increased visibility into supply chain risks and CUI is at ground zero of the matter.

As a means of evaluating platforms that market themselves as rapidly identifying the right cyber insurance coverage or completing dry runs of more structured insurance applications for cyber coverage, I have yet to see any questions that pertain to CUI.  In fairness, some policy questionnaires ask a very generalized, “or other applicable regulatory requirement”.  In response to this ambiguously styled question, “Wouldn’t most applicant’s check yes by default with the General Data Protection Regulation (GDPR) in play in just a couple of weeks?”.  I would challenge agents and brokers to look at their completed applications and assess how many respond “yes” to this question. 

If an applicant responds “no”, and a claim is filed because of harm incurred by CUI or GDPR sanctions, does that constitute a basis for rescission?

To date, there are over 4,600 commercial enterprises that are now contractually bound to protect CUI by demonstrating 110 individual cybersecurity controls. In the event a cyber incident materializes because of the government contractor (think Postal Service or Office of Personnel Management breaches), the contractor is responsible for a myriad of incident response activities that are very cost intensive. Furthermore, these same enterprises are generally required to show proof of general liability, directors and officers, automobile, and/or errors and omissions insurance coverage – but no cyber?

The US Census Bureau estimates that 99.7% of all businesses in the United States are small businesses. From this estimation, that defines 4,586 of these 4,600 companies as small businesses. When we think “Government Contractor”, we probably conjure up imagery of companies like Raytheon, General Dynamics, or Boeing. Having worked for some of these organizations, I can advise that in the face of a cyber incident that they have the financial ware withal to be resilient.  If a small business sustains a cyber incident and does not have a financial mechanism to transfer that risk, like an insurance policy, they are likely going to close due to the financial implications. 

An unforeseen problem with very profound consequences

For those reading this article that may not be familiar with the operational process of filing a cyber claim, there is generally language that stipulates if you do not use the insurance company’s panel of incident response and crisis management firms, they are not bound to pay out on a claim. In a nutshell, they want the first call to be to the carrier. This creates a little bit of a challenge when a natural inclination of a business owner is to contact their attorney and in the case of a Government Contractor the contractual obligation reads as, “Rapidly report” means within 72 hours of discovery of any cyber incident.”

A company might be able to accomplish notifying the insurance company first and notify the Department of Defense within 72 hours but here is where it gets a bit dicey.

The contractual obligations with the U.S. Government also convey the following:

(ii)  Rapidly report cyber incidents to DoD at http://dibnet.dod.mil.

(2)  Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at http://dibnet.dod.mil.

Did you catch that? 

Let’s take a second look.

“(2) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD.

So, whatever may be construed as your information now belongs to the DoD!

It is very plausible that if a Government Contractor notifies the insurance agency’s point of contact of a cyber incident and those panel members respond and access the victim’s network, this may constitute a breach of contract. Why? Because these individuals are not employees nor previously approved supply chain partners to gain authorized access to the system in question.  Take it a step further. What if the system or data in question in classified?

If the panel response team does not have the appropriate security clearances, the insured party is now in harm’s way beyond the original cyber incident because allowing their access constitutes a contractual violation.

The flip side of this issue is if the DoD provides resources and may charge the Government Contractor for fees incurred. If a claim is denied because the panel was not used, is the rescission justified? Does it expose the insurer to the risk of litigation by the insured party for failing to pay a that claim? If the questions within the application are not specific enough or if the carrier does not have a panel with cleared personnel, does this expose both the insured and insurer to a colossal debacle in the face of a crisis event?

A path forward

The insurance sector needs to have panel members that are already cleared and approved by the DoD in advance of a cyber incident being reported and arguably before coverages are agreed upon within the four corners of an insurance policy.

This scenario is likely to become more pervasive in 2019 and beyond as the Department of Homeland Security and other non-Defense agencies (Justice Department, etc.) evolve their procurement language to emulate the cybersecurity requirements from DoD. This expands the number of companies from over 4,600 to tens of thousands of companies.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.