Key to cyber insurance process is finding the right broker

Part two of our cyber insurance series highlights the need for healthcare organizations to compare prices and find a carrier willing to partner on cybersecurity.
By Jessica Davis
02:09 PM
Share
illustration of man holding red umbrella

With cybersecurity, there’s no 100 percent certainty that an organization is completely protected against cyber threats. As a result of this reality, an increasing number of healthcare organizations are turning to or considering cyber insurance.

It’s a step in the right direction, but not all policies are created equal. And the right carrier will be determined by the size and scope of the organization. With that in mind, here’s a look into how to select a cyber insurance broker.

Getting started

There are a wide range of underwriters and an even greater number of policies. In fact, the cyber insurance market is predicted to reach $7 billion by 2020, according to investment bank Jefferies. The market is in flux, making it difficult to weed out options.

To begin, an organization needs to assess their needs to know what precisely should be covered with a policy, like the volume of data, which could affect cost, explained Jane Harper, director of privacy and security risk management services for Henry Ford Health System.

A risk assessment, above and beyond HIPAA is required to properly address the needs of an organization, she added.

While Harper could not say whether there was one carrier she preferred over another, at the end of the day, the carrier should be a company that will be a partner on cybersecurity and risk.

“You want someone to be open, honest and work for you,” Harper said. “Someone who is going to partner with you, not just on what you’re covered for, but on the areas you’re not covered, so you can develop policies to cover those things.”

“The carrier will have a commission, a governing body that helps to keep them on the straight and narrow,” she continued. “Look for someone reputable, part of the National Association of Insurance Commissioners.”

NAICs are the U.S. standard setting and regulatory support organization created and governed by chief insurance regulators.

Lastly, organizations should look for a carrier and policy that is reasonably priced, Harper added.

Red flags

One of the biggest red flags is when a carrier’s “quote is significantly larger than everyone else’s,” said Harper.

According to a recent Forrester report, the market is growing and that comes with more transparent policies and insurers with an increased understanding of cyber risk. However, there are still a lot of hurdles -- including excessive pricing, coverage gaps and even internal struggles when it comes to purchasing decisions.

But one of the biggest issues the report found is that just the act of buying insurance is a complicated web when it comes to the parties involved. Buyers need to navigate this labyrinth of underwriters, brokers, cyber risk scoring partners, legal counsel and security teams.

In fact, the relationship between the underwriter and chief information security officer is key, the report found. The CISO and broker will, at the end of the day, be tasked with updating the policy when needed and handling claims. So when choosing a broker, their incentives must prioritize that relationship.

Organizations need to review their offered services and customer reviews to choose correctly.

Harper echoed these sentiments: The right members of the organization need to be involved in the process, and the carrier needs to have healthcare experience.

“Strategically, when we sign a policy, risk leaders are on call with the chief privacy security officer and other key members of the team,” said Harper. “And one of the things we’ve noticed recently, the insurance company has started inviting people to the conversation who have a better understanding of privacy and security matters, and tech matters as well.”

“If you get into the conversations, and they don’t know the industry or privacy and security, it may be difficult to speak to them when you have an incident,” she continued. “You want to make sure they’re dealing with someone who knows the privacy and security policy that they are underwriting. They don’t need to be an expert, but they need experience.”

Focus on Cybersecurity

In October, we take a deep dive into security strategy and pressing threats.

Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com