The value of cyber insurance for health care providers

Monitoring coverage is key

Aug 24, 2023

Key takeaways

Organizations that fail to continuously monitor their cyber insurance coverage become at risk due to escalating security challenges.

The cost of cyber insurance can vary significantly, depending on various factors specific to each organization.

It's important for organizations to carefully assess their cyber risk profile and consult with insurance professionals to determine the most appropriate types and levels of coverage.

Risk consulting Cybersecurity consulting Health care

Health care organizations that understand their cyber insurance coverage have much to gain in mitigating cybersecurity risks for their organization. However, understanding coverage is only the beginning when it comes to safeguarding sensitive data. Organizations that fail to continuously monitor their coverage become at risk due to escalating security challenges.

According to the National Association of Insurance Commissioners, data breaches increased by 68% from 2020 to 2021, due in part to health care providers embracing the pandemic-era realities of virtual care and remote work. Unfortunately, when quickly implementing technologies during this transition, organizations may have overlooked some security vulnerabilities.

Many organizations have found, insurance can provide a variety of protections and benefits, including:

Financial protection.

In the event of cyber incidents such as phishing schemes, malware attacks, and unauthorized access to computer systems. Health care organizations are prime targets for cybercriminals due to the sensitive and valuable patient data they possess. In the event of a breach, coverage can be provided. Health care organizations hold vast amounts of sensitive patient data, including Health Insurance Portability and Accountability Act-protected health information and personally identifiable information.

Risk management services and incident response support.

With some cyber insurance policies, insurers can help health care organizations assess their cybersecurity posture, identify vulnerabilities and develop risk mitigation strategies. 

Alignment with data protection and privacy regulations. 

Such as HIPAA in the U.S. and the General Data Protection Regulation in the European Union. Cyber insurance policies can be tailored to align with these regulatory requirements and provide coverage for potential fines and penalties resulting from inadequate oversight.

Coverage for unforeseen risks associated with third-party vendors.

This applies to incidents arising from the actions of third parties or breaches of their systems when the incident affects the health care organization. 

Selection factors

The cost of cyber insurance can vary significantly, depending on various factors specific to each organization. These include organization size, industry sector, annual revenue, the extent of coverage desired, past cyber incidents, cybersecurity measures in place, and the level of risk associated with the organization's data and operations. In addition, multiple types of coverage are available, including the following:

First-party coverage

Focuses on the direct losses and expenses incurred by the insured organization as a result of a cyber incident. It typically includes (but is not limited to) data breach response cost, business interruption losses, data restoration, and crisis management and public relations.

Data breach response costs

Covers expenses related to breach investigation, notification of affected individuals, credit monitoring services, public relations, legal fees, and regulatory compliance.

Third-party coverage

Focuses on liabilities and expenses arising from claims by third parties affected by a cyber incident. It typically includes (but is not limited to) privacy liability, network security liability, media liability, and vendor or business partner liability.

Cybercrime coverage

Specifically designed to address financial losses resulting from cybercrimes such as fraudulent funds transfer, social engineering, or electronic theft.

Organizations should carefully assess their cyber risk profile and consult with insurance professionals to determine the most appropriate types and levels of coverage for their specific needs. Cyber insurance policies can vary in terms of coverage limits, exclusions, deductibles, and additional services, so it's essential to review and understand the terms and conditions of the policy before purchasing.

While cyber insurance provides valuable protection against cyber risks, some potential disadvantages include:


Premiums can be expensive, especially for organizations with higher levels of risk or requiring extensive coverage. The cost may vary based on factors such as the organization's size, industry, cyber risk profile, and desired coverage limits. For some organizations, the cost of cyber insurance may outweigh the potential benefits.

Coverage limitations and exclusions.

Limitations may vary from policy to policy, and it's important to carefully review the terms and conditions to understand what is covered and what is not. Common exclusions may include certain types of cyber incidents, preexisting vulnerabilities, acts of war or terrorism, or fraudulent acts by employees.

Compliance requirements.

Cyber insurance policies may impose specific requirements on organizations to maintain certain cybersecurity standards and risk management practices. Failure to meet these requirements could result in reduced coverage or denied claims. Compliance with these requirements may involve additional costs and efforts for organizations to ensure ongoing adherence.

A false sense of security.

Cyber insurance should not substitute for robust cybersecurity measures. Some organizations, mistakenly assuming that having insurance means they are fully protected, may neglect essential preventive measures. It is critical to have comprehensive cybersecurity practices in place, including regular risk assessments, employee training, incident response plans, and strong technical controls, in addition to having insurance coverage.

Cyber insurance is a great risk treatment strategy within an organization’s risk management program. Health care organizations can prevent missing out on potential cyber policy benefits by reading their policy first, followed by performing rigorous periodic cyber assessments to challenge the organization’s cyber posture.
Jason Pymento, Manager, cyber strategy, risk and compliance at RSM US LLP

Controlling costs

Premiums for cyber insurance can range from several thousand dollars to hundreds of thousands of dollars per year. Small businesses with lower revenue and fewer cyber risks may be able to find coverage at the lower end, while larger organizations with higher revenue and more complex cyber risk profiles, including health care organizations, can expect to pay significantly higher premiums.

It's important to note that cyber insurance premiums are not the only cost associated with cyber insurance. The policy may specify deductibles, copays, or other cost-sharing arrangements. Additionally, some policies may have separate sub-limits for specific types of losses or expenses, such as legal defense costs or public relations services, which could affect the overall cost.

Fortunately, with the right cybersecurity strategy, it’s possible to lower insurance premiums and maximize the value of a cyber insurance package. The following actions add value to an organization’s risk management policies and practices, and underwriters take them into consideration when determining cybersecurity premiums: 

  • Adopt a cybersecurity framework such as CIS (Center for Internet Security), NIST (National Institute of Standards and Technology), ISO 27001, and SOC 2 (System and Organization Controls).
  • Enable multifactor authentication.
  • Develop an incident response plan.
  • Ensure secure data backup.
  • Conduct regular penetrating testing.

In conclusion

Organizations should consider cyber insurance costs as part of their overall cybersecurity budget and risk management strategy. While cost is a factor, it should be weighed against the potential financial losses and liabilities that can arise from a cyber incident, as well as the value of the coverage and risk mitigation services provided by the policy.

RSM contributors

Special report

2023 Middle Market Business Index Cybersecurity

Our latest report finds the middle market remaining a primary target for attacks as the threat environment has evolved over time.

Subscribe to Health Care Leader Insights

Actionable insights to help health care industry leaders successfully navigate challenges and take advantage of opportunity.