Tech Talk | Cyber Insurance: Alignment with Cybersecurity Best Practices
According to Forbes, the healthcare industry faced a 755% increase in ransomware attacks in 2021. This article provides an update on what you need to know.
Mike Robey, MS
AAO-HNS/F Senior Director, Information Technology
When was the last time you reviewed your cyber insurance policy? Significant changes have taken place within this segment of the insurance industry, most likely caused by the exponential growth of threats and losses from cyber events. According to Forbes, the healthcare industry faced a 755% increase in ransomware attacks in 2021. This article provides an update on what you need to know.
For organizations that have an online presence or work with cloud-based software, obtaining cyber insurance to protect against losses due to cyber threats is an expected business expense. Business interruptions and data breaches are costly. Reputation loss, particularly if patient information is exposed, is another big concern. All this said, one of the biggest drivers for obtaining cyber insurance is to cover other contractual obligations. Many technology support and cloud service agreements require you to carry cyber insurance.
Table 1 shows some expenses of the more common risk areas that cyber insurance covers.
During the Academy’s recent experience renewing our cyber insurance, we discovered two new endorsements added to our policy:
- Neglected Software Vulnerability
- Widespread Cyber Events
Neglected Software Vulnerability introduced a sliding scale of diminishing coverage. Basically this endorsement says if a hacker exploited a known vulnerability and a patch was available, the amount of coverage is reduced depending on the number of days the patch was downloadable prior to the cyberattack. The National Vulnerability Database (NVD), https://nvd.nist.gov, is commonly used to determine availability.
Widespread cyber events are ones that affect multiple policyholders. Like flood insurance, widespread cyber event coverage is an added endorsement to a policy to protect the insurer from paying out multiple policyholder claims based on a single event. With any reported cyber event, you can expect a forensics study to be conducted to determine the cause and whether the event was limited (only affected your practice) or widespread (affected other organizations, too).
Alignment with Cyber Hygiene
Cyber insurance is aligning with cybersecurity best practices. Based on questions asked by our carrier as well as additional research, Table 2 provides a list of cybersecurity areas that insurers are likely to probe.
Preparing for Cyber Incident
Now that we have defined cyber insurance’s risk coverage areas and discussed alignment with cybersecurity best practices, let’s transition to preparing for a cyber incident. At the very least, create a cheat sheet that has the name of the insurer, your policy number, and the number to call to report an incident. Keep this in a secure safe place, and make sure it is readily accessible from wherever you are. The last thing you want to do is look through a bunch of documents to find this critical information. Also, keep the policy itself handy. You will need to refer to your policy down the road, after an incident is reported.
Many insurers want you to use one of their preferred incident response providers. Typically, these are independent organizations from your insurer. Your policy may state you can use any incident response provider you like, but if you do not use one of their preferred incident response providers, then your coverage will be reduced. Most insurers have a list of their preferred incident response providers on their website. Make sure your cheat sheet includes the URL to the list of providers. You may want to consider contacting a few of the providers before an incident occurs to pre-establish a relationship.
Think of cyber insurance as a component of your overall cybersecurity strategy. Like it or not, your next renewal will be aligned with cybersecurity best practices. The tables provided in this article are a good starting point for reviewing your cybersecurity hygiene plan. Another good source is the past Tech Talk article on combating ransomware: https://bulletin.entnet.org/aao-hnsf-2021/article/21759592/tech-talk-a-framework-for-combating-ransomware.
One final thought: At some point, you may have to attest that your practice does perform such steps as software patching on a regular basis. For every action item in your cybersecurity plan, make attestation a component so that you can quickly respond to your cyber insurer’s requests for more information when an incident is reported.