In 2014, the state of Montana experienced hacking on a server connected to its Department of Public Health and Human Services. While investigators found no evidence that data had been leaked, state officials utilized their cyber insurance policy to notify 1.2 million Montana citizens and provide a call center to answer questions. “The fact that insurance provides all those things that you need in the time of an incident, and they are automatically in place and you can utilize them, is huge,” said Lynne Pizzini, chief information security officer and deputy CIO of Montana. “We had forensics capability immediately, and we had counsel. They had a communications plan we could utilize and a call center — all of those things you need in the time of an incident.” she said.
According to insurance broker Marsh, growing concerns about cyber risks drove a 27 percent annual increase in the purchase of cyber insurance policies. Despite this increase, government agencies have been slow to react. A survey conducted by the Ponemon Institute showed that while 37 percent of financial services firms and 29 percent of retail companies had a cyber insurance policy in 2013, only 19 percent of government agencies had insured themselves against breaches. “If everyone in the private sector is buying cyber insurance, why is the government not doing the same thing?” asked Jake Olcott, vice president of business development at BitSight Technologies, a cyber risk management firm. “As far as I know, there is no government-wide policy about insurance that government agencies are supposed to buy or take out. … This is an area where the government is behind the private sector.”