In February 2019, Anomali, a cybersecurity solutions company, identified a phishing page posing as an actual TxDOT website. A little more than a year later, TxDOT’s network was hit by a ransomware attack.
“TxDOT spent over $10 million to identify and address the May 2020 attack in order to minimize disruptions to operations across the state,” Blanco said in an email. “Many of these costs are in the reimbursement process under TxDOT’s cyber insurance policy.”
The department initially purchased cyber insurance in 2019 as protection for toll revenue bondholders. However, the policy is currently being used to cover TxDOT’s IT system until its toll operations system can be efficiently segmented from TxDOT’s larger integrated IT system.
“As TxDOT continues to upgrade and refine its IT systems, there may come a time when the IT systems for toll revenue operations are completely separate from the rest of the IT system,” Blanco said. “This separation would require TxDOT to obtain a separate cyber insurance policy to cover an incident like the one TxDOT previously experienced.”
But how would purchasing another cyber insurance policy help achieve this? According to Christine Marciano, president of Cyber Data Risk Managers, it’s about having two different types of coverage.
“This insurance would cover first-party and third-party coverages,” Marciano said. “First-party coverage would cover the department in the event of a cyber or ransomware attack, while third-party coverage would cover individuals outside of the department that are affected by a TxDOT-related cyber incident.”
An example of third-party coverage would include calling, sending letters to or emailing individuals whose information has been compromised in a TxDOT data breach. Once notified, those individuals would receive offers for credit monitoring and even compensation depending on the situation.
As for other benefits associated with purchasing cyber insurance, companies and organizations would have access to a team of forensic investigators to research and address cyber incidents as well as data breach coverage, cyber extortion defense, legal support and business interruption loss reimbursement.
However, despite these benefits, many organizations and government agencies still question whether they should purchase cyber insurance.
The reason for this skepticism, Marciano said, is a lack of understanding about what cyber insurance is.
“There’s a gap when it comes to knowing what cyber insurance to purchase, especially when it comes to finding a policy that aligns with a company’s or organization’s needs,” she said.
Another reason organizations hesitate to purchase cyber insurance is the cost.
“For a while, underwriters were underpricing cyber insurance policies,” Marciano said. “However, as more claims have come in, underwriters have been forced to charge higher prices to compensate for these claims.”
Costs aside, Blanco emphasized the importance of TxDOT purchasing additional cyber insurance as a way to shield Texans and itself from criminals.
“Allowing TxDOT to purchase cyber insurance would further protect Texans’ personal data and information,” Blanco said. He added it would also “protect TxDOT from loss of revenue caused by a cyber attack.”