Iowa exploring insurance against cyberattacks

DES MOINES - Cyberattacks on government agencies - such as when hackers recently gained access to Iowa's public employee pension accounts, stealing hundreds of thousands of dollars - are becoming increasingly common.

In response, more states are buying insurance to protect them from such attacks.

No Iowa agencies have cyberattack insurance, but the topic is being discussed by state leaders.

'It's a huge discussion,” said Robert von Wolffradt, Iowa's chief information officer.

For now, Iowa is self-insured, with a new cybersecurity operations center now up and running.

Earlier this month, hackers were able to gain access to more than 100 accounts in Iowa's public employee pension system and steal hundreds of thousands of dollars, according to state officials.

Officials do not believe the hackers gained direct access to the state system but rather obtained identifying information - Social Security numbers and birth dates, for example - through other means and used that to access the system.

The event, however, served as a reminder that government agencies in recent years have increasingly become the target of such cyberattacks.

MONEY OR INFORMATION

In 2016, government and finance were the most-targeted sectors for cyberattacks worldwide, according to an annual global threat intelligence report from Dimension Data, a South Africa-based information technology services company.

When hackers attack a financial institution, they are looking for money.

When hackers attack a governmental agency, they are looking for sensitive - and thus valuable - information, experts say.

'The biggest threat is the government is the one that has all our data,” said Doug Jacobson, an Iowa State University professor of computer and electrical engineering. 'They're the ones that have all our Social Security numbers, they have our addresses. They have everything about us. That's the biggest thing (governments) have to try to protect.”

Or, von Wolffradt said, hackers are simply 'trying to subvert government and just make government look bad.”

INSURANCE POLICIES

To protect themselves, more than a dozen states have taken out cyber insurance policies, according to a Stateline report from the Pew Charitable Trust.

Cyber insurance policies generally cover costs related to data theft or corruption, the unauthorized sharing of data and legal costs, according to a report from PNC Financial Services.

Such policies can be expensive. Montana has a $2 million policy that covers all agencies and the state's public university system.

Utah bought a policy in 2015 after a data breach of its health department servers, according to the Pew report.

'It's expensive. It's a big budget item for us. But it's absolutely worth it,” Michael Hussey, Utah's chief information officer, said in the Pew Report. 'You're seeing breaches now that cost companies and states millions and millions of dollars.”

IOWA STUDYING

Would a cyber insurance policy benefit Iowa's state government agencies?

That discussion is taking place, von Wolffradt said, adding the budget department is studying the 'very complex issue.”

Iowa government is currently self-insured, he said.

'I think the issue is, if you're self-insured, how much does this (cyber insurance) cost and how much protection does it afford you and what do you use it for,” von Wolffradt said.

In addition to being costly, cyber insurance policies typically require the customer have certain levels of protections already in place.

'Insurance companies are smart,” von Wolffradt said. 'They're not going to go into something blind. So they require the agencies to do certain things, have certain protections and certain reasonable responses in place. And then that will change the rates that (agencies) are getting charged for insurance.”

Von Wolffradt said he has recommended the state budget department consider a cyber insurance policy.

'We've recommended looking at it because we think that as the industry grows - and it's relatively new - as the insurance matures a little bit, there may be some opportunities there,” von Wolffradt said.

PROACTIVE

Jacobson said Iowa state government has been proactive on cybersecurity for the past decade.

In December 2015, then-Gov. Terry Branstad issued an executive order creating a state cybersecurity initiative. A state cybersecurity strategy was published in July 2016; Jacobson said other states look to the Iowa plan as a model.

In October, the state opened its new cybersecurity operations center, which enables state security officials to monitor systems and respond to incidents almost immediately, according to state officials.

Von Wolffradt's office responding to nearly 1,900 incidents during the budget year that ended June 30. The most common attacks involve malware that attempt to extract data, von Wolffradt said.

'Everybody's trying to do the best they can,” Jacobson said. 'It's a rigged game. The attackers only have to be right once, and we have to be perfect. That's not very fair. But that's the game we're being forced to play.”

l Comments: (515) 422-9061; erin.murphy@lee.net