It's been less than a year since the National Association of Insurance Commissioners (NAIC) created model regulations around cybersecurity coverage in late 2017. And so far, California is holding firm as a self-insured entity.
The NAIC model includes protocols on how to report events, security assessments, team construction and security integration across partnerships.
While the NAIC has made it a goal to get a majority of states to adopt the law with few changes within three years, California state government has since delegated responsibility for cybersecurity insurance to each individual department.
Chris Cruz, deputy chief information officer for the state, told Techwire in an April interview that the California Department of Technology will not be purchasing cybersecurity insurance.
"In accordance with Government Code (Section 11007.4, to be exact), the state has elected to be self-insured for tort liability exposures. CDT is not required, nor has it elected to purchase separate cyberliability insurance," CDT spokesman Bryce Brown told Techwire.
Even though vendors have tough insurance requirements, they are not required to hold cybersecurity insurance as a condition of working with the state. The insurance could cover any data loss and associated repercussions of a cybersecurity attack.
The University of California has been purchasing its own cyberinsurance since 2010.
"UC’s cyber insurance program is designed to incentivize the proactive adoption of cybersecurity best practices throughout the UC system, and to protect the university against direct and indirect costs caused by data security breaches," Stephanie Beechem, spokesperson for the UC's Office of the President, told Techwire in an email.
Vendors who work with the UC are required to have their own cyberinsurance if they plan to access or store non-public information.
"UC has worked to significantly expand the amount and scope of its cyber coverage. In an evolving cyberinsurance market, the university leveraged its existing relationships with insurers and cyberexperts as well as its increased cybersecurity readiness to obtain increased coverage that further protects the university and mitigates risk," Beechem wrote.
