Cyber Security Insurance: Do You Need It?
By Brandon Clarke and Karen Petrillo| July 17, 2016
The term cyber liability refers to the risk and responsibility that a business carries when it stores data. In today’s world, most data is stored on a computer network; however, the liability extends to information stored on paper records as well. Medical practice records are rich with data, including sensitive patient health information, social security numbers and possibly credit card information. As the owner of this data, you are responsible for its safekeeping, which means you must protect it against cyber-based criminals. You must also protect data such as paper records, patient IDs and photos from “human error,” which includes any of these being posted publicly. Since there are no guarantees when it comes to network protection, a cyber liability insurance policy can offset the costs and reduce the time to remedy a cyber breach.
Cyber and privacy insurance policies provide coverage for the liability a business might incur in the event of a data breach. Whether someone gains access to your electronic network or computers or if paper files go missing, a cyber liability insurance policy can help you address the repercussions more quickly than if you have to go it alone. While other insurance policies may cover the loss of computer hardware, many practices mistakenly think that these policies cover the data, unfortunately, they usually don’t. Cyber liability insurance has become its own specialized insurance policy. Every cyber policy is different and new types of coverage are added daily to keep up with changes in technology.
What motivates cyber criminals?
It might help to understand the motives of cyber criminals. Data is valuable and even in small-time cases cyber perpetrators can make a quick buck on social security numbers or credit card numbers. Healthcare organizations are often targets of cyber attacks because of the extent of data they possess, and patient records are a jackpot for cyber criminals. Patient records can be sold off on the black market for as much as $6.40 per record.* In more elaborate cyber attacks, like ransomware, an entire healthcare network is held hostage until a financial demand is met. In the case of Hollywood Presbyterian, hackers shut down the hospital’s entire network for over a week and demanded $3.7 million dollars in exchange for its release.
The types of policies and the coverage they offer vary quite a bit. In addition to cyber security insurance policies, there are also cybercrime policies to cover things like wire transfers and social engineering where an employee is manipulated into performing acts or divulging information such as responding to an email requesting that a bookkeeper change company bank information. Once that money is transferred, no coverage exists under a standard crime or cyber liability insurance policy.
The risk of saying “pass” on cyber liability protection
The risk of not having it or not having appropriate coverage is simply the amount of time and money you will have to spend to pay for and manage the following:
- Legal Fees
- Regulatory Fines and Penalties
- Forensics Expense
- Immediately reaching out to all patients via mail and/or phone
- Arrange for monitoring of patients’ credit profiles for up to one year
- 24-hour call center expense
- Business interruption income loss
- Business extra expense loss
Be sure to talk with a cyber liability expert
While lots of insurance companies offer bits and pieces of coverage, it is still somewhat unchartered territory. The coverage language is often not very broad and the coverage amounts are usually too small. It is imperative to talk with a specialized insurance agent about cyber liability and cybercrime insurance. Inappropriate coverage may be no better than no coverage at all. A qualified insurance agent with the background and knowledge of how cyber liability policies work can help you navigate this ever-changing aspect of today’s technology-driven world.
Key questions to ask your cyber liability insurance provider
- Does my current cyber liability policy cover me for first-party coverages? First-party coverage includes things like costs to regain access, or restore data, if recoverable, business interruption for loss of income, and reputation loss. If so, how much policy coverage exists?
- How much regulatory coverage exists? Does this cover HIPAA fines and penalties?
- Does your current policy cover PCI fines and costs?
- Is notification expense covered? Does this include mailers and call centers? How does notification work?
- Do you need a cybercrime policy? Are you covered for social engineering coverage?
- What happens if a claim occurs? It depends on the company from which you purchased your policy. Some companies have specialized claims teams that only deal with cyber liability, some don’t have dedicated claims people.
— Brandon Clarke (email@example.com) and Karen Petrillo (firstname.lastname@example.org). Brandon is co-founder of Affenix, an insurance company in Knoxville, Tenn. that specializes in cybersecurity and liability. Karen is Director of Marketing at DoctorsManagement.