CYBER INSURANCE AT USF

Alex Campoe, Director for Information Security at the University of South Florida, had just come out from a meeting with the CIO of the University, and this thought summed up the CIO’s opinion. While Alex had heard of the term cyber insurance, this was the first time he had actually been compelled to think seriously about it. Until now, he had not considered the possibility that he might actually negotiate the terms of such a policy. There had not been any significant cyber incident at USF, and by all accounts, the IT team at USF did a fine job. Besides, he had always assumed that as a state institution, he had the backing of the State of Florida in case a severe cyber-incident were to affect USF. So, the possibility that the leadership at USF might seriously consider paying for a cyber insurance policy had not occurred to him until his CIO actually brought it up that morning. To be clear, Alex’s CIO had not pushed him into deciding in favor of going ahead with a cyber insurance policy. He had only been asked to consider the utility of such a policy for the institution. Alex was confident that he enjoyed his CIO’s trust, so that his recommendations would be taken very seriously. And though this was a new domain for him, Alex wanted to make sure he had considered all relevant issues before making his recommendation. First, there was the issue of what exactly was a cyber insurance policy. What did it cover? What did it leave out? What obligations did it place on him as the Director of Information Security at USF? Second, was the issue of the costs of such a policy. Even if cyber insurance was useful, would it still be worth the costs? There were many buildings on campus running hardware that was purchased over 30 years ago, which had not been supported by their manufacturers for over 10 years. Upgrades to such obsolete equipment were being put off year after year due to lack of funds. In this environment, would USF still consider it a good decision to invest in such a policy if it made no claims for many years? Given that this kind of insurance policy was still new to the market, were there some examples of organizations that had bought this kind of insurance, and if so, what was their experience? While cyber insurance seemed unlikely to be budgeted in the short run at USF, Alex could clearly see that businesses were taking it seriously. Such business innovations were not common, and Alex was eager to be the subject matter expert in this emergent domain, when presented the opportunity. Yes, he was going to learn enough about cyber insurance to be able to make an informed recommendation to his CIO next week.