The University of California (UC) has redefined the rules of cyber liability insurance, using an approach that the University’s Chief Risk Officer Grace Crickette calls “reverse underwriting.” Collaborating with the university’s chief information officers, insurance brokers Price Forbes & Alliant, and a London underwriter, UC developed a cyber liability insurance program that reduces risk and drives risk management best practices, Crickette said.

Several years ago, the University of California Office of Risk Services was increasingly becoming aware of cyber risks, encompassing the exposures presented by network security, privacy and social networking. While the UC self-insures and takes high retentions on all of its risks from general liability to professional liability, it lacked cyber insurance. Specifically, UC was seeking a product that catered to its network security, privacy, media and technology liabilities, which concurrently provided a data breach notification and forensics service framework. And not having insurance to protect against emerging risks left the University vulnerable, Crickette said.

Additionally, the UC had experienced cyber losses, from hazard losses as well as cyber breach incidents. “Due to the nature and complexity of operations and the academic culture of open access, educational institutions, and in particular, large research-oriented universities, face unique exposures related to the internet and information security and privacy,” according to a 2008 white paper on “Cyber Liability and Higher Education” by Aon Corp.

In 2008, educational institutions accounted for 33 percent of all reported data breaches. And from Jan. 1, 2007 until Nov. 19, 2008, approximately 158 educational institutions experienced data breaches involving 3.7 million records. “Combine those statistics with a study conducted by the Ponemon Institute that found the average cost of a data breach was $197 per record, and the potential costs are astounding,” Aon indicated. Read the rest of the article here