• United States




Insuring Uncle Sam’s cyber risk

May 02, 20186 mins
Data and Information SecurityGovernmentGovernment IT

The insurance sector needs to have panel members that are already cleared and approved by the DoD in advance of a cyber incident being reported and arguably before coverages are agreed upon within the four corners of an insurance policy.

Over the past two months, I have received questions from insurance brokers about what capabilities are at my disposal to assist them support the US government defense contractor community. One consistent theme observed is a lack of “knowing” whether the panel firms – those organizations with pre-negotiated rates to support the carrier or broker – have staff with security clearances. Insurance entities are highly predisposed to assessing what credit card data or healthcare data resides on the insured’s system.

A little background to provide context

While these are important matters to be sure, these same data sets are now incorporated into the National Archives and Records Administration (NARA) Registry for Controlled Unclassified Information (CUI). So why should this matter to you? It may not apply at all. However, if your organization sells technology goods and services to the US government, there is an increased visibility into supply chain risks and CUI is at ground zero of the matter.

As a means of evaluating platforms that market themselves as rapidly identifying the right cyber insurance coverage or completing dry runs of more structured insurance applications for cyber coverage, I have yet to see any questions that pertain to CUI.  In fairness, some policy questionnaires ask a very generalized, “or other applicable regulatory requirement”.  In response to this ambiguously styled question, “Wouldn’t most applicant’s check yes by default with the General Data Protection Regulation (GDPR) in play in just a couple of weeks?”.  I would challenge agents and brokers to look at their completed applications and assess how many respond “yes” to this question. 

If an applicant responds “no”, and a claim is filed because of harm incurred by CUI or GDPR sanctions, does that constitute a basis for rescission?

To date, there are over 4,600 commercial enterprises that are now contractually bound to protect CUI by demonstrating 110 individual cybersecurity controls. In the event a cyber incident materializes because of the government contractor (think Postal Service or Office of Personnel Management breaches), the contractor is responsible for a myriad of incident response activities that are very cost intensive. Furthermore, these same enterprises are generally required to show proof of general liability, directors and officers, automobile, and/or errors and omissions insurance coverage – but no cyber?

The US Census Bureau estimates that 99.7% of all businesses in the United States are small businesses. From this estimation, that defines 4,586 of these 4,600 companies as small businesses. When we think “Government Contractor”, we probably conjure up imagery of companies like Raytheon, General Dynamics, or Boeing. Having worked for some of these organizations, I can advise that in the face of a cyber incident that they have the financial ware withal to be resilient.  If a small business sustains a cyber incident and does not have a financial mechanism to transfer that risk, like an insurance policy, they are likely going to close due to the financial implications. 

An unforeseen problem with very profound consequences

For those reading this article that may not be familiar with the operational process of filing a cyber claim, there is generally language that stipulates if you do not use the insurance company’s panel of incident response and crisis management firms, they are not bound to pay out on a claim. In a nutshell, they want the first call to be to the carrier. This creates a little bit of a challenge when a natural inclination of a business owner is to contact their attorney and in the case of a Government Contractor the contractual obligation reads as, “Rapidly report” means within 72 hours of discovery of any cyber incident.”

A company might be able to accomplish notifying the insurance company first and notify the Department of Defense within 72 hours but here is where it gets a bit dicey.

The contractual obligations with the U.S. Government also convey the following:

(ii)  Rapidly report cyber incidents to DoD at

(2)  Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at

Did you catch that? 

Let’s take a second look.

“(2) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD.

So, whatever may be construed as your information now belongs to the DoD!

It is very plausible that if a Government Contractor notifies the insurance agency’s point of contact of a cyber incident and those panel members respond and access the victim’s network, this may constitute a breach of contract. Why? Because these individuals are not employees nor previously approved supply chain partners to gain authorized access to the system in question.  Take it a step further. What if the system or data in question in classified?

If the panel response team does not have the appropriate security clearances, the insured party is now in harm’s way beyond the original cyber incident because allowing their access constitutes a contractual violation.

The flip side of this issue is if the DoD provides resources and may charge the Government Contractor for fees incurred. If a claim is denied because the panel was not used, is the rescission justified? Does it expose the insurer to the risk of litigation by the insured party for failing to pay a that claim? If the questions within the application are not specific enough or if the carrier does not have a panel with cleared personnel, does this expose both the insured and insurer to a colossal debacle in the face of a crisis event?

A path forward

The insurance sector needs to have panel members that are already cleared and approved by the DoD in advance of a cyber incident being reported and arguably before coverages are agreed upon within the four corners of an insurance policy.

This scenario is likely to become more pervasive in 2019 and beyond as the Department of Homeland Security and other non-Defense agencies (Justice Department, etc.) evolve their procurement language to emulate the cybersecurity requirements from DoD. This expands the number of companies from over 4,600 to tens of thousands of companies.


Carter Schoenberg is the President and Chief Executive Officer of HEMISPHERE Cyber Risk Management, Inc. Mr. Schoenberg is a certified information system security professional with over 23 years of combined experience in criminal investigations, cyber threat intelligence, cyber security, risk management and cyber law. He is a cybersecurity subject matter expert supporting government and commercial markets to better define how to evaluate a risk profile and defining criteria for brokers and carriers to utilize in their determination on coverage and premium analysis.

HEMISPHERE is working with insurance stakeholders to define appropriate standards and training of brokers and agents in determining coverage requirements, scheduled for release later in 2017. HEMISPHERE is also working with the National Association of Insurance Commissioner’s Cyber Task Force.

Mr. Schoenberg’s expertise has been featured at many events and his background and knowledge in the Latin American markets, specifically in Panama’, has provided him with a unique and detailed view of this market segment.

Mr. Schoenberg is responsible for designing practical solutions to address cyber risk management using his proprietary cost-benefit analysis enabling system owners to make mission and cost justified decisions on cyber risk. Starting his career in law enforcement as a homicide detective, his work products have been actively used by DHS, the ISAC communities, and the Georgia Bar Association for Continuing Learning Educational (CLE) credits on the topic of cybersecurity risk and liability. His expertise is profiled at conferences including ISC2, SecureWorld Expo, ISSA and InfosecWorld.

The opinions expressed in this blog are those of Carter Schoenberg and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.