• United States




Insuring cyber risk for government contractors

Jun 07, 20173 mins

Insurance companies should understand the market opportunity for cyber insurance with government contractors.

Over the course of the past year or so, when I have reviewed data points collected by the insurance sector, something struck me as odd. The majority of applications for cyber coverage will ask if you have credit card or healthcare data. Very important to know but here are some other interesting data points to consider. There are roughly 300,000 businesses that sell to the United States Government, otherwise known as government contractors (GovCons). A percentage of these GovCons sell things like tables, chairs, pens, paper, 5-gallon water jugs, you get the point. A larger percentage sells technology, technology as a service, or services for technology (staff augmentation).

Up until fairly recently, I would argue that focusing on credit card or healthcare records was prudent and necessary to evaluate a risk profile of a potential applicant. While this is still important, it is incomplete. GovCons are facing increasing pressures to demonstrate enhanced cyber risk mitigation capabilities as part of contractual obligations upon award of a contract to sell technology related products and services. While retail contends with the Payment Card Industry Data Security Standard (PCI-DSS) and healthcare deals with the Health Insurance Portability and Accountability Act (HIPAA), GovCons must comply with what is known as Federal Acquisition Regulations (FAR). The Department of Defense has their own (DFAR) and even U.S. Department of Homeland Security has one (HSAR).

Part of these requirements reflect that in the face of a cyber incident caused by the GovCon (think OPM, USIS or USPS breaches), then the GovCon will be held accountable for some of the costs associated with the event that arose. This can include the costs tied to incident response and recovery (crisis management), breach notifications, and even credit monitoring. When I referenced 300,000 GovCons earlier, half of those are small businesses. The likelihood a GovCon, let alone a small business one, can sustain these costs without dramatically impacting their bottom line is noteworthy. Lest we discuss even risking declaring bankruptcy and closing their doors altogether. Having the resilience to withstand such an incident requires a financial instrument like a cyber policy.

As part of the new standards that is being worked on for the insurance sector by ACORD in conjunction with HEMISPHERE (Disclosure: I am employed by HEMISPHERE), one of the goals is to address “sensitive data” altogether and no longer limit it to just the PCI and HIPAA arenas. While a standard is important, the opportunities that can be derived from the GovCon arena are sizeable. If you read any existing research on cyber insurance, you will see a common element that quantifying the value of intellectual property is very problematic. What I offer in response to that is an opportunity for the insurance sector to offer “cyber riders.” Why not? They do it for property and casualty. If a GovCon wins a $5 million contract over 5 years ($1 million per year base + 4 option years), the value of said rider could be $5 million year one, $4 million year two and so on. A sliding scale to offset the potential loss of business tied to a cyber incident resulting in a claim, duty to notify the government, and determination that as a result of the cyber incident, renewals or extension will not be granted. So in summary, the insurance sector has a massive opportunity to sell cyber policies to GovCons and provide unique options to provide enhanced protections in the face of a cyber incident that could otherwise force some, if not a very large percentage, to go out of business because of the financial implications.


Carter Schoenberg is the President and Chief Executive Officer of HEMISPHERE Cyber Risk Management, Inc. Mr. Schoenberg is a certified information system security professional with over 23 years of combined experience in criminal investigations, cyber threat intelligence, cyber security, risk management and cyber law. He is a cybersecurity subject matter expert supporting government and commercial markets to better define how to evaluate a risk profile and defining criteria for brokers and carriers to utilize in their determination on coverage and premium analysis.

HEMISPHERE is working with insurance stakeholders to define appropriate standards and training of brokers and agents in determining coverage requirements, scheduled for release later in 2017. HEMISPHERE is also working with the National Association of Insurance Commissioner’s Cyber Task Force.

Mr. Schoenberg’s expertise has been featured at many events and his background and knowledge in the Latin American markets, specifically in Panama’, has provided him with a unique and detailed view of this market segment.

Mr. Schoenberg is responsible for designing practical solutions to address cyber risk management using his proprietary cost-benefit analysis enabling system owners to make mission and cost justified decisions on cyber risk. Starting his career in law enforcement as a homicide detective, his work products have been actively used by DHS, the ISAC communities, and the Georgia Bar Association for Continuing Learning Educational (CLE) credits on the topic of cybersecurity risk and liability. His expertise is profiled at conferences including ISC2, SecureWorld Expo, ISSA and InfosecWorld.

The opinions expressed in this blog are those of Carter Schoenberg and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.