Explaining the need for cyber insurance is difficult because in many situations, people have never seen what it looks like.

I imagine that if I had never seen fire before, it would be very difficult for me to understand the need for fire insurance.  That would be perfectly reasonable.

That’s why I wanted to take the time to discuss a news story about a data compromise within the Minneapolis Public School System.

More than 300,000 files from the Minneapolis Public Schools system were dumped online.  The threat actor shared stories of sexual assault, psychological evaluations, along with medical records.

When I read the article, I paused on this.  Most times when I’m discussing cyber claims, or any claim for that matter, I’m discussing hard facts like downtime, compromised files, and lost income.

With Schools and Mental Health Organizations, the potential for trauma after a data breach is immense. 

Imagine the records for a domestic violence shelter are compromised.  The personal records of an abused spouse are spread on the internet for the consumption of the angry significant other.  That situation can’t be corrected with a credit monitoring service.  The victim’s life could be in danger.

For the sake of a mental exercise, let’s play through the entire scenario so that we can illustrate what a cyber policy can do and potential costs:

A threat actor gained access to the Minneapolis Public School System records.  I haven’t seen anything in an article, but this likely happened as a result of human error.  Humans are still the number one vulnerability in your cyber security environment.

The school system would also need a Forensic IT professional to sort out how the threat actor entered the environment.  This could be paid for by insurance.

If any of the data was destroyed, they would need to recreate the data.  This could be paid for by insurance.

The threat actor demanded $1,000,000 ransom from the Minneapolis Public School System.  The School System refused to pay it.  This is ransomware coverage under a cyber policy. 

As an aside, the FBI doesn’t like when ransoms are paid because they view the transaction as if you’re negotiating with a terrorist.  In my mind, I’ll let the insurance companies sort out that issue.

When the ransom was not paid, the threat actor dumped thousands of files on the internet.

Now the School System is responsible for paying for letters, credit monitoring services, and damages as a result of the breach.  Further than that, people will be traumatized as a result of very personal information being released on the internet.  This could be paid for by a cyber liability policy.

After the families are notified, a large data breach will be covered by the press. A PR firm is very helpful for mitigating reputational damage. This can be paid for by insurance as well.

Cyber threat actors are interested in making a profit from your data.  The worst ones have no regard for human life or dignity.  This story illustrated another way threat actors can profit from someone else’s pain.