You’ve been breached, so what does that mean with cyber insurance?
In this current threat landscape, healthcare data breaches are common -- if not nearly inevitable. Cyber insurance policies can provide some protection in that worst case scenario, but only if an organization has carefully selected the right policy and carrier.
But cyber insurance isn’t some magic cure-all. As with any type of insurance, a healthcare organization must hold up to its end of the bargain.
Here’s what Jane Harper, Henry Ford Health System’s director of privacy and security risk management and Matthew Fisher, partner with Mirick O’Connell had to say about the legal considerations an organization needs after a breach.
Once a breach has been confirmed, healthcare organizations need to tell the insurance broker as soon as possible, explained Fisher. In that way officials can figure out if there are any potential objections to coverage.
“The insurance broker will want a role in the investigation,” said Fisher. “It could be immediate, and they’ll help right away or ask for an assessment before they get someone in place. The insurance carrier may have the tools.”
“So it’s always best to notify the carrier as soon as possible to take advantage of these tools and experience,” he added.
As with the variances in policies and coverage, each insurer will have its own preferences on how to handle a breach -- including the preferred vendors and or investigators an organization must use in case of a breach, Harper explained.
“The insurance carrier may require you to use a third-party that they approve and that they work with on a regular basis,” Harper said. “You may not be able to use your own investigation team and may not be able to get outside council: that may be dictated by the insurance company.”
It’s also important to note that the third-party is gathering evidence on behalf of the insurance company, “so when they write the report and finding all of those things, they’re very, very much the property of, not just your organization, but the cyber insurance company,” she explained.
“And the results of the investigation can possibly dictate whether these people believe your breach or incident is covered,” said Harper.
So if an organization wants to be able to hire its own investigative team and council, “those items need to be worked on up front when building the contract,” she explained.
For example, imagine you own a home and have a homeowner’s insurance policy. If there’s a fire, the insurer will hire a company to investigate the fire and determine the cause. The investigator will return a copy of the report to the insurer -- “working on behalf of the insurance company,” Harper said.
The investigation may be part of the policy, but that report is for the insurance company and may not examine those finite details a healthcare organization needs to know -- like the type of virus, Harper explained.
“If you don’t want that to be the case, you need to get that upfront,” she said.
Not only that, but as the insurance company is trying to manage cost.
“We write policies sometimes, not expecting that the cost of the policy would be more than the review as a result of the policy,” said Harper. “At that point, now there are these issues and you’ve had an incident, someone is about to spend money.”
Harper advised being careful when an insurance hires the third-party investigator because “they’re trying to manage costs,” she continued. “They may not hire the most advance team.”
In fact, Harper explained that she’s worked with forensic organizations for her own personal capacity, and “sometimes they never find out who did it and what exactly happened.” Consider the major breaches at Target, Equifax, Home Depot and the like -- and how many years it took to determine the cause.
Ultimately, organizations need to take their time with researching and selecting the right carrier and policy.
“At the root of insurance: It’s a way to manage risk related to cyber activity that could affect the availability and integrity of your personal information,” Harper said. “You want a carrier who’s going to partner with you -- not just what you’re covered for -- but what you’re not covered for so you can develop policies to cover those things.”