Insuring cyber risk for government contractors

Over the course of the past year or so, when I have reviewed data points collected by the insurance sector, something struck me as odd. The majority of applications for cyber coverage will ask if you have credit card or healthcare data. Very important to know but here are some other interesting data points to consider. There are roughly 300,000 businesses that sell to the United States Government, otherwise known as government contractors (GovCons). A percentage of these GovCons sell things like tables, chairs, pens, paper, 5-gallon water jugs, you get the point. A larger percentage sells technology, technology as a service, or services for technology (staff augmentation).

Up until fairly recently, I would argue that focusing on credit card or healthcare records was prudent and necessary to evaluate a risk profile of a potential applicant. While this is still important, it is incomplete. GovCons are facing increasing pressures to demonstrate enhanced cyber risk mitigation capabilities as part of contractual obligations upon award of a contract to sell technology related products and services. While retail contends with the Payment Card Industry Data Security Standard (PCI-DSS) and healthcare deals with the Health Insurance Portability and Accountability Act (HIPAA), GovCons must comply with what is known as Federal Acquisition Regulations (FAR). The Department of Defense has their own (DFAR) and even U.S. Department of Homeland Security has one (HSAR).

Part of these requirements reflect that in the face of a cyber incident caused by the GovCon (think OPM, USIS or USPS breaches), then the GovCon will be held accountable for some of the costs associated with the event that arose. This can include the costs tied to incident response and recovery (crisis management), breach notifications, and even credit monitoring. When I referenced 300,000 GovCons earlier, half of those are small businesses. The likelihood a GovCon, let alone a small business one, can sustain these costs without dramatically impacting their bottom line is noteworthy. Lest we discuss even risking declaring bankruptcy and closing their doors altogether. Having the resilience to withstand such an incident requires a financial instrument like a cyber policy.

As part of the new standards that is being worked on for the insurance sector by ACORD in conjunction with HEMISPHERE (Disclosure: I am employed by HEMISPHERE), one of the goals is to address “sensitive data” altogether and no longer limit it to just the PCI and HIPAA arenas. While a standard is important, the opportunities that can be derived from the GovCon arena are sizeable. If you read any existing research on cyber insurance, you will see a common element that quantifying the value of intellectual property is very problematic. What I offer in response to that is an opportunity for the insurance sector to offer “cyber riders.” Why not? They do it for property and casualty. If a GovCon wins a $5 million contract over 5 years ($1 million per year base + 4 option years), the value of said rider could be $5 million year one, $4 million year two and so on. A sliding scale to offset the potential loss of business tied to a cyber incident resulting in a claim, duty to notify the government, and determination that as a result of the cyber incident, renewals or extension will not be granted. So in summary, the insurance sector has a massive opportunity to sell cyber policies to GovCons and provide unique options to provide enhanced protections in the face of a cyber incident that could otherwise force some, if not a very large percentage, to go out of business because of the financial implications.