What to know about risk, coverage before you buy cyber insurance
Cyberattacks cost organizations around the world hundreds of billions of dollars a year and could tip into the trillions before 2020, according to various estimates, and they wreak havoc with information systems and data.
Well, rest assured there’s more to come.
That’s where the question of cyber insurance comes in. If a healthcare organization decides to insure itself against cyber-attacks, how do C-suite executives and others go about evaluating potential cybersecurity risks and coverage in today’s chaotic threat landscape?
“It starts with a top to bottom assessment of your IT capabilities as well as how information is stored,” said Stuart O’Neal, an attorney at Burns White and co-chair of the firm’s cybersecurity and professional liability groups. “There are a lot of variables. The best way to determine coverage, and whether an organization has enough, is through an interactive meeting with your insurance broker and researching what your organization's options are, how they are covered, what scenarios are not covered and how your organization is positioned relative to that coverage.”
Healthcare organizations have to understand that cyber-attacks are going to happen to them with increasing frequency and intensity. Despite the investment of substantial resources in cybersecurity, the healthcare industry remains extremely vulnerable, according to the May 2017 Healthcare Cybersecurity Industry Taskforce Report to Congress.
“There are many well documented reasons for this, including: the sheer size of the healthcare sector; the fact that digital health records are a recent phenomenon, relatively speaking; and the ‘open culture’ of healthcare in terms of information sharing for patient care,” said Steven Gravely, a partner and healthcare practice lead at Troutman Sanders.
Other reasons include the reality that most healthcare provider organizations have layers upon layers of legacy IT systems with differing levels of cybersecurity and cannot be easily patched, and the drive to achieve interoperability among different provider organizations, which means that everyone is only as strong as the weakest link, Gravely added.
“Providers must treat cybersecurity as an enterprise risk that will affect the entire organization rather than simply an IT issue,” he added. “The dollar amount of coverage is certainly one important factor, but as important is the scope of the coverage. What is included under the policy as a covered loss and what is not.”
The industry is seeing more litigation about excluded liability as the type of cyberattacks evolve and new losses emerge. For example, virtually every cyber-insurance policy covers the costs of notification to affected persons and the cost of a lawyer to serve as the data breach coach for a specific event.
“But some policies do not cover the costs to prepare notifications to OCR or state regulators or the penalties that those regulators impose,” Gravely said. “Still others do not cover lost revenue due to a provider having to suspend services during a ransomware attack. It is critical for a healthcare provider organization to understand what its cyber-insurance policy covers and what is excluded.”
And it is important to understand that the cyber-insurance market is evolving constantly as the nature of cyber-threats change, he added.
An emerging risk for healthcare organizations to consider is how patients will receive care if computer systems are inoperable. Bodily injury arising out of a cyber-attack is also becoming a reality as more medical devices are connected to the web and the Internet of Things.
“Above all, the risk manager and IT director need to evaluate how comprehensive their incident response plan is, usually by engaging a third party for assistance,” said Nick Cushmore, assistant vice president at insurance broker The Graham Company. “A well-executed response plan is the best way to mitigate the financial impact to an organization following a cyber-incident.”
When it comes to coverage, benchmarking data on what limits were purchased by comparable organizations should be available from an insurance broker or carrier, and there are breach calculators that can be used to estimate the potential cost of a breach based on the number of records compromised.
“Both of these tools should be utilized to ensure the organization is comfortable with the limit structure it decides to purchase,” Cushmore said. “Obviously, the financial condition of the organization and its individual tolerance for risk will also come into play.”