The value of cyber insurance for health care providers

Health care organizations that understand their cyber insurance coverage have much to gain in mitigating cybersecurity risks for their organization. However, understanding coverage is only the beginning when it comes to safeguarding sensitive data. Organizations that fail to continuously monitor their coverage become at risk due to escalating security challenges.

According to the National Association of Insurance Commissioners, data breaches increased by 68% from 2020 to 2021, due in part to health care providers embracing the pandemic-era realities of virtual care and remote work. Unfortunately, when quickly implementing technologies during this transition, organizations may have overlooked some security vulnerabilities.

Many organizations have found, insurance can provide a variety of protections and benefits, including:

Selection factors

The cost of cyber insurance can vary significantly, depending on various factors specific to each organization. These include organization size, industry sector, annual revenue, the extent of coverage desired, past cyber incidents, cybersecurity measures in place, and the level of risk associated with the organization's data and operations. In addition, multiple types of coverage are available, including the following:

First-party coverage

Focuses on the direct losses and expenses incurred by the insured organization as a result of a cyber incident. It typically includes (but is not limited to) data breach response cost, business interruption losses, data restoration, and crisis management and public relations.

Data breach response costs

Covers expenses related to breach investigation, notification of affected individuals, credit monitoring services, public relations, legal fees, and regulatory compliance.

Third-party coverage

Focuses on liabilities and expenses arising from claims by third parties affected by a cyber incident. It typically includes (but is not limited to) privacy liability, network security liability, media liability, and vendor or business partner liability.

Cybercrime coverage

Specifically designed to address financial losses resulting from cybercrimes such as fraudulent funds transfer, social engineering, or electronic theft.

Organizations should carefully assess their cyber risk profile and consult with insurance professionals to determine the most appropriate types and levels of coverage for their specific needs. Cyber insurance policies can vary in terms of coverage limits, exclusions, deductibles, and additional services, so it's essential to review and understand the terms and conditions of the policy before purchasing.

While cyber insurance provides valuable protection against cyber risks, some potential disadvantages include:

Cost.

Premiums can be expensive, especially for organizations with higher levels of risk or requiring extensive coverage. The cost may vary based on factors such as the organization's size, industry, cyber risk profile, and desired coverage limits. For some organizations, the cost of cyber insurance may outweigh the potential benefits.

Coverage limitations and exclusions.

Limitations may vary from policy to policy, and it's important to carefully review the terms and conditions to understand what is covered and what is not. Common exclusions may include certain types of cyber incidents, preexisting vulnerabilities, acts of war or terrorism, or fraudulent acts by employees.

Compliance requirements.

Cyber insurance policies may impose specific requirements on organizations to maintain certain cybersecurity standards and risk management practices. Failure to meet these requirements could result in reduced coverage or denied claims. Compliance with these requirements may involve additional costs and efforts for organizations to ensure ongoing adherence.

A false sense of security.

Cyber insurance should not substitute for robust cybersecurity measures. Some organizations, mistakenly assuming that having insurance means they are fully protected, may neglect essential preventive measures. It is critical to have comprehensive cybersecurity practices in place, including regular risk assessments, employee training, incident response plans, and strong technical controls, in addition to having insurance coverage.

Controlling costs

Premiums for cyber insurance can range from several thousand dollars to hundreds of thousands of dollars per year. Small businesses with lower revenue and fewer cyber risks may be able to find coverage at the lower end, while larger organizations with higher revenue and more complex cyber risk profiles, including health care organizations, can expect to pay significantly higher premiums.

It's important to note that cyber insurance premiums are not the only cost associated with cyber insurance. The policy may specify deductibles, copays, or other cost-sharing arrangements. Additionally, some policies may have separate sub-limits for specific types of losses or expenses, such as legal defense costs or public relations services, which could affect the overall cost.

Fortunately, with the right cybersecurity strategy, it’s possible to lower insurance premiums and maximize the value of a cyber insurance package. The following actions add value to an organization’s risk management policies and practices, and underwriters take them into consideration when determining cybersecurity premiums: 

• Adopt a cybersecurity framework such as CIS (Center for Internet Security), NIST (National Institute of Standards and Technology), ISO 27001, and SOC 2 (System and Organization Controls).
• Enable multifactor authentication.
• Develop an incident response plan.
• Ensure secure data backup.
• Conduct regular penetrating testing.

In conclusion

Organizations should consider cyber insurance costs as part of their overall cybersecurity budget and risk management strategy. While cost is a factor, it should be weighed against the potential financial losses and liabilities that can arise from a cyber incident, as well as the value of the coverage and risk mitigation services provided by the policy.