Tag Archives: May Almassalha

Protecting Institutions From Cyber Risks

Recently, an email glitch at Florida State University resulted in the accidental emailing of alleged misconduct and housing violations to more than 13,000 current and former students.

The emails may have revealed the personal information of multiple students and may have disclosed confidentially reported information relating to harassment and alleged sexual assaults. The emails were not sent by anyone on campus but were the result of a technical glitch in the university’s database. The glitch left students confused and, in some cases, frightened and concerned for personal safety. University personnel, including FSU’s Title IX Coordinator, moved quickly to address student concerns, but the proverbial cat was already out of the bag. It will likely be some time before the full consequences of the breach will be known or what the final outcomes will be.

In the wake of FSU’s inadvertent disclosure crisis, a review of the privacy procedures in place at an institutional level may be in order to prevent these types of unintended disclosures in the future. It is also important to review the indemnity agreements between the university and third-party service providers such as the database administrator or software provider. Finally, it is important to review how cyber liability insurance may respond in the event of a data breach.

Data Privacy Protocols

When discussing data privacy protocols, there are three primary areas of concerns. They are how to protect:

  1. Information (e.g., personally identifiable data stored on a server)
  2. Mechanisms/systems that make up the physical housing for the information (e.g., the server itself)
  3. Users accessing the information

A breach of confidential information or data loss can occur at any of the three levels in any number of ways. It is impossible to quantify or evaluate every single manner in which a breach may occur—or how data may be lost.

What is important is establishing a protocol that takes into consideration all three areas where a breach may occur. In most cases, it is easy to focus on external threats and user misconduct but overlook the potential for data breach arising from internal system failures or glitches.

See Also: How Colleges Can Work With Insurers

In developing data security protocols, it is important to engage in a comprehensive threat assessment that includes evaluation of user-based or external potential breach areas as well as the possibility of an equipment failure/glitch.

A few areas to consider when reviewing internal data breach/data loss response protocols:

  1. Who is the architect of the protocols? (Are the foxes guarding the hen house?)
  2. Does your protocol comply with statutory requirements and contractual requirements such as PCI compliance, Title IX, HIPAA or other state and federal laws?
  3. Does the protocol specifically address each element of concern identified above? (protection of information, protection of systems, protection of users)
  4. Is there a progressive (tree) notification process? (Do the participants understand where they are in the tree? Does the process include notification to external stakeholders such as legal authorities, insurers, external legal counsel, and crisis management or PR firm?)
  5. Is there strong leadership/executive level buy-in of the protocol?
  6. Is there a training element? (Does it include tabletop or scenario-based practice?)
  7. Is there periodic review of systems and processes to identify and change obsolete protocols and replace key stakeholders in the event of turnover?

Indemnity/Hold Harmless/Limitation of Liability Agreements

Vendor service agreements, user license agreements and even software agreements typically include indemnity terms. In most cases, these terms are one-sided, in favor of the seller or service provider.

Essentially, the purpose of an indemnity agreement is to contractually shift responsibility for loss/damage from one party (seller) to another party (buyer). These types of agreements vary in scope, strength and enforceability but, in most cases, involve a release or limitation of buyer’s claims or potential claims against the seller. In some cases, the buyer may assume full responsibility for any loss, including an affirmative responsibility to protect and defend the seller in the event of third-party claims.

There may also be a limitation on the type and extent of damages a buyer may seek against the seller or service provider—in some cases, the recovery may be limited to the value of contract or agreement. Your institution’s risk management and legal teams should carefully review indemnity terms to fully understand the extent of risk assumed by the institution in executing an agreement with a third party.

As part of a comprehensive risk management process, consider limiting acceptance of comprehensive indemnification terms in a contract. This is especially important where the institution is being asked to waive its legal rights or outright indemnify a vendor for the vendor’s own negligence, misconduct or product/service failure. A few areas to consider in reviewing contract terms:

Indemnity/Hold-Harmless Terms

  1. Who is the indemnitee (recipient of the indemnity) and who is the indemnitor (provider of the indemnity)?
  2. Does the indemnity agreement require one party to indemnify for the other party’s own negligence or misconduct?
  3. Does the indemnity agreement include an obligation to affirmatively defend the indemnitee? Is there is a time limit to accept or reject the defense?
  4. Who is responsible for counsel selection?
  5. Is approval needed to settle claims?

Limitation of Liability

  1. Is there a limitation of liability?
  2. Does the limitation favor the institution or vendor?
  3. Is the limitation reasonable in light of the potential for loss or damage or the nature of the service provided? (Limiting liability to the contract value may not be reasonable if the contract value is low and the risk of loss is high.)
  4. Are there carveouts for negligence or misconduct, or is the limitation of liability intended as the sole remedy?
  5. Does the limitation of liability conflict with the indemnity terms? 

Cyber Liability Insurance

In the past few years, cyber liability insurance has gained significant attention among insurance brokers and clients. Cyber insurance refers to a suite of related insurance products that provide various types and levels of protection to insureds that may suffer from data loss or data breach.

There are three major components of cyber liability insurance:

  1. First-party coverage for loss or damage to or interruption of the institution’s electronic equipment and electronic services
  2. Third-party coverage for the liability imposed upon the institution for loss or exposure of third-party data; coverage for third parties may include costs for notification, credit monitoring and credit restoration services
  3. Coverage for regulatory requirements as well as for fines and penalties assessed against the institution as part of a covered loss

Unlike some property and casualty insurance products such as general liability or auto insurance, cyber liability insurance is not standardized. Instead, each insurance company issues a customized policy. These policies may vary greatly from insurer to insurer and can often include a la carte coverages that may significantly affect the breadth and scope of coverage.

A careful review of institutional and vendor policies is strongly recommended to ensure that the coverage purchased addresses the actual risks of the institution. Some questions to consider when reviewing your cyber liability policy: 

See Also: A Better Way to Assess Cyber Risks?

First-Party Coverage

  1. How does the policy respond to loss or damage to the institution’s own computer equipment, servers or other hardware components?
  2. How does the policy define a physical loss? (does it include loss of Internet-based platforms such as web portals or only loss to physical components)
  3. Is there a waiting period for business or data interruption? 

Third-Party Coverage

  1. How does the policy respond to breach of confidential or personally identifiable information?
  2. Is coverage provided based on a total number of affected persons or provided on a blanket limit basis?
  3. Is there a minimum/maximum affected person limit?
  4. How is a third-party loss defined? Does it include accidental loss, computer glitches or loss of non-electronic information? (e.g., is there coverage if a laptop containing personally identifiable information is lost? Or if physical records are removed or destroyed?)
  5. Is the coverage triggered only when there is a statutory or governmental notification requirement, or does it cover voluntary notification?

Fines/Penalties

  1. Does the policy include coverage for fines/penalties including payment card industry (PCI) data security standards noncompliance?
  2. Is there a sublimit for the coverage?
  3. Are punitive or exemplary damages included? 

Conclusion

It is important to take a thoughtful approach to securing data in all its various forms. An individual protocol alone is not enough to fully secure your institution in the event of a data breach. It is also important to review vendor service agreements, user agreements and software licenses to ensure an understanding of the indemnity/hold-harmless and limitation of liability provisions, which may be present in a current agreement—and which may open up the institution to unintended liability due to the negligence or misconduct of a third party.

Finally, it is important to review and understand the types and scope of the institution’s cyber liability coverage—or to consider purchasing this coverage if the institution does not currently maintain coverage.

How Colleges Can Work With Insurers

If you sit down with just about any college administrators and ask about the vision of their university, you may witness a dramatic change as their voices fill with passion, reserve disappears and the entire tone of the conversation shifts away from being transactional. As an insurance broker specializing in higher education, I have witnessed this transformative moment many times. Unfortunately, the passion for the institution, its vision and its future does not always translate into the insurance submission and renewal process.

Many people, including some insurance brokers, view buying and selling insurance as a passionless transaction. Information about the college—such as financial statements, property values and loss experience—is gathered, tabulated into Excel spreadsheets and forwarded on to the underwriting arm of seemingly interchangeable insurance carriers. Underwriters review volumes of data about the college to decide whether the insurance company can comfortably provide a college with a certain level of insurance coverage in exchange for a fixed annual premium.

See Also: A Practical Tool to Connect Customers

The information provided to an underwriter creates a story about the college. Depending on how the information is received and presented, the story can be positive or negative. To the underwriter, sometimes the insurance submission can be as horror-filled as a Stephen King epic or as romantic as a Nicholas Sparks novel. Of course, the insurance submission is not a work of fiction.

One of the first things that statistics students learn is that the same information (data set) can be used to draw multiple and sometimes competing conclusions. Where one person may see positive potential, another may see an organization in decline. The conclusions drawn from the data set by different insurers and underwriters reviewing the same information may vary significantly.

Why?

Though the information contained in a submission or application may be objective—meaning the information has not been altered or manipulated—the conclusions drawn from the information are less so. The underwriting process involves both subjective and objective analysis. And how the data is interpreted may have a significant impact on the underwriting decision and, ultimately, on the total premium an organization pays.

Using Data

According to a Harvard Business Review article, data can be used as a visual mechanism to direct the narrative surrounding a particular situation. The key is to:

  1. Identify the narrative or the core message the audience should walk away with;
  2. Identify your target audience and figure out what they are interested in—is the presentation to an underwriter, claims adjuster, insurance company executive, etc.?;
  3. Remain objective and offer a balanced viewpoint—your credibility will suffer if what is being said cannot be supported by the facts;
  4. Not censor the data—do not exclude unfavorable information, and this is especially important in an insurance setting as failure to disclose information can constitute insurance fraud; and
  5. Take the time to edit—not the data itself, but how the information is presented.

There are many different methods for presenting the narrative of an institution in the most positive light possible while still providing objective information. The first step to understand both the positive and negative elements. This allows the institution to showcase itself in the best light possible. A failure to fully engage in this process may leave the narrative open to misinterpretation, create questions about unexamined negatives and result in overlooking one or more positive elements.

Communicating the story of an institution involves a deep understanding of the goals and vision of the institution, and there is no one better to communicate that story than a passionate college administrator. However, understanding what drives your institution is not enough—and that is where administrators need to leverage key professional relationships. Selecting the right broker is a key step in driving the narrative forward. A professional partner brings market knowledge and the ability to help transform the narrative from numbers into a story that honors the vision of the administration.

Developing Key Relationships

The majority of colleges and universities work with one or more insurance brokers to engage with the insurance marketplace. At minimum, a broker working with an institutional client assists in (1) identifying insurable exposures, (2) preparing recommendations for coverage types and limits, (3) identifying potential insurers to approach, (4) developing the insurance submission, (5) negotiating pricing and coverage terms and conditions with the markets and (6) presenting the carrier quotes to the institution.

Institutions at every level can rely quite heavily on the services and recommendations of their insurance brokers. The broker can play a critical role between having a well-structured insurance program and having a potential mess of overlapping coverage, gaps in coverage, inconsistent coverage terms, out-of-balance limits and potential claims issues. The broker can also act as a key resource in communicating the organizational narrative to the underwriters.

There are four key elements a broker adds to narrative development:

  1. Market Knowledge: Insurance brokers keep abreast of developments in the marketplace, including insurer appetites: Like any company, insurers have target or preferred customers. Being in an insurer’s target class can provide premium discounts and coverage enhancements. Insurers typically understand the risk exposures associated with their target customers and are comfortable underwriting these risks and adjusting claims. For the insurance client, this means (1) access to expertise from an insurer that understands your institutional risk and (2) comfort in knowing the insurer has an understanding of institutional risk and will be unlikely to cancel or withdraw coverage in the event of a claim. Ultimately, it does not make sense to send an application to an insurer that does not understand or have a comfort level with higher education risks. Insurance brokers also keep abreast of market conditions. For the past few years, insureds have enjoyed relatively stable insurance rates and coverage offerings. It is currently the norm to see flat program renewals and even rate decreases in several key insurance coverage lines. However, it is unlikely that this trend will continue long -term, and it may be significantly affected by: 1) Mergers: The insurance market is changing as insurers look to increase market share and underwriting profit while minimizing exposure to catastrophic losses and unprofitable lines of business. 2) New Market Entrants: There has been an influx of third-party capital into both the insurance and reinsurance markets, resulting in lower insurance prices in the short term. The question is whether these new entrants are here to stay and whether capital levels have peaked.
  2. Underwriting Guidelines/Expectations: Understanding how underwriters use information is a key element of the narrative development. Different insurance carriers use underwriting information differently. Customizing the insurance submission to highlight critical (or essential) information that will be viewed favorably by the underwriters make a big difference.
  3. Risk Analytics: Analytical services provide a more complete picture of organizational risks, claims trends and opportunities for improvement. These services may include claims dashboards, benchmarking analytics, property valuation and catastrophic loss exposure analysis. This is really where brokers can distinguish themselves. Effective use of analytics allows the institution to home in on key risk and loss drivers and develop a risk management plan to address problem areas early. Early identification processes and plans can be communicated to underwriters as part of the application process. This can be critical for institutions with past losses, as it demonstrates steps to control future loss and an awareness of university exposures.
  4. Alternative Program Structures/Alternative Risk Transfer Options: Not every risk can be transferred, and not all risks are adequately covered by buying off-the-shelf insurance products and services. Taking control of the insurance conversation may require a needs-based assessment of academic, administrative and financial processes to determine optimal (1) coverage types/limits and deductibles/retentions, (2) feasibility of self-insured or captive programs, (3) needed coverage enhancements and (4) key contributors to loss/potential losses.

Tips for constructing and delivering your narrative

Start early. Waiting until a couple of months before program renewal does not provide a great deal of time to develop a cohesive narrative or to allow underwriters the time needed to develop a real understanding of the institution. In fact, it can be beneficial to begin the conversation with a prospective insurer years before moving coverage from a current insurer. This is important even if there is a comfort level with the current program structure and insurance providers. Organizational risks are not static, and insurance programs change over time. Engaging in regular dialogue with underwriters at different insurance companies allows multiple carriers to develop an understanding of the college/university’s operations and risks. Developing alternative carrier relationships provides a backup plan.

See Also: Are Customers Like Berliners?

Know and understand your institutional risks and objectives. This includes both the positive and negative aspects. It can be easy to focus on the positives, but, as with an ostrich hiding its head in the sand, that may result in overlooking key dangers to the continuity of the college itself. You should:

  1. Create an internal risk review team made up of a diverse group of institutional stakeholders, such as human resources staff, facilities/housekeeping, faculty, administrative staff, board of trustees, alumni and students.
  2. Engage an objective third party, such as a risk consulting firm, or use the institution’s insurance broker’s analytical team.
  3. Participate in peer-review activities by engaging with administrative and risk management personnel at other institutions. Participating in risk management round-tables and discussions such as those provided by United Educators, URMIA and other educational insurers/associations can assist in planning for common areas of concern.

Use the data as a guide. As much as insurance brokers may wish otherwise, underwriters are pretty savvy people and will usually catch on to most omissions. It is very hard to recover from a situation where the underwriter feels misled about the organization—there is a loss of trust, respect and partnership that is impossible to get back. Be open and objective about the current position of the college/university. But do not allow the negative information to be all the underwriter sees—provide mitigating information such as steps the college is taking to: (1) improve loss experience, (2) attract higher enrollments or (3) renovate aging infrastructures. Underwriters want to write business, and most of them are looking for a reason to say “yes.”

Do not rely solely on the insurance application. The application gathers the minimum amount of information that an insurance company needs to underwrite a risk. If the institution is working with an insurance broker (as most do), it is important to collaborate with the broker rather than just cede the submission development process entirely to the broker. A broker (regardless of how good she is) is never going to be as passionate about your institution as you are. Get to know your underwriters—go to lunch, meet them at conferences, attend a carrier networking event or even schedule periodic conference calls. If all your organization is to an underwriter is a few sheets of paper submitted 90, 60 or even 30 days prior to a renewal, you will not get the underwriter’s full attention or consideration. Engage your underwriters.