Risk Management Services has purchased insurance coverage to recover financial losses incurred by U-M departments as a result of lost or stolen data, violation of privacy laws, intellectual property infringement and social media risks.

The move comes in response to growing concerns about the potential costs associated with IT security incidents. Coverage now in place extends to the entire Ann Arbor campus, including the Health System, and the Flint and Dearborn campuses.

IT security incidents comprise a wide range of threats to U-M resources, services, and students, faculty, and staff. Examples of incidents include: unauthorized use of systems or data, unauthorized disclosure of sensitive information, or an attack or intrusion that results in severe disruption to critical services.

"Educational institutions face unique exposures related to the Internet and information security and privacy," says Paul Howell, chief information security officer.

"Even with the best security practices in place, there are still significant risks associated with assuring the privacy of sensitive information of U-M community members as well as other costs connected to data breaches or cyber attacks as a function of our complexity, decentralization, and global reach and the academic culture of open access."

General liability coverage maintained by U-M likely would not cover significant losses related to cyber attacks. This new coverage closes that gap and helps to ensure that U-M will be covered in the event of regulatory fines, lawsuits, and reputational damage that may result from a serious data breach or cyber attack. Up to now, if a department experienced a loss due to a cyber breach, it was not covered and rarely planned for in a budget.

The new cyber risk insurance covers direct losses to U-M units for business interruption as a result of a network security breach, data recovery, social media privacy violations, and credit monitoring expenses, among other losses. It also includes coverage for damages to third parties resulting from such cyber risks as identity theft or unauthorized access or use of a U-M information system resulting in violation of privacy laws.

"We are very pleased to partner with the campus experts on IT security in offering this new coverage," says Kate Rychlinski, assistant director of risk management. "This is an innovative collaboration designed to support a comprehensive risk-management framework and enhance IT security practices across the university. Over time, we anticipate an overall reduction in risk of losses attributed to cyber threats."

Information and Infrastructure Assurance, the Information and Technology Services department charged with overseeing the campus information security program, is the liaison to Risk Management with respect to initiating claims under this coverage. Rychlinski notes that once Risk Management determines there is a valid claim, it will be reported to the insurance company for processing and reimbursement.

The extent of coverage available to university units and departments, reflected by amount of the deductible, is dependent on their level of implementation of the university's IT security program.

"Just like insurance companies offer a good-driver discount, we have structured the U-M cyber risk insurance coverage to reward campus units that have made significant efforts to put in place the best practices identified in our information security program," Howell says.