Driven largely by an ongoing increase in ransomware attacks and payouts, cyber insurance carriers today require more stringent controls to get—and keep—coverage. What was once just a few questions are now applications and questionnaires that span many pages.
And, today’s cyber insurance providers won’t just take your word that you’ve implemented mature cyber hygiene practices. They want you to demonstrate and document what you’re doing alongside ongoing validation processes. One small misstep or inaccuracy could mean your coverage won’t pay out when you need it most.
The reality is that while many healthcare organizations know they must meet HIPAA privacy and security requirements, most struggle with understanding which—and how many—cybersecurity controls and frameworks are reasonable and appropriate for their organizations. Fewer have robust risk analysis and risk management programs, and most can’t fine-tune their cyber programs at an individual control level.
When your organization doesn’t have comprehensive visibility into your cybersecurity practices, completing a cyber insurance application is a nightmare. The good news is this process doesn’t have to be that complicated. With a good understanding of what’s happening in the market and industry-recognized best practices, you can build confidence to obtain—and maintain—cyber insurance coverage for when you need it most.
The Ransomware Rise
Just a few years ago, healthcare organizations could easily get insurance with limited underwriting information. Carriers wanted to build their books, and cyber insurance premiums were affordable. But that began to change in 2020 with the rise of ransomware attacks and increased ransomware payouts and claims.
Historically, ransom payments were in the tens of thousands of dollars, with the occasional payout exceeding $100,000. Yet, it didn’t take long for threat actors to realize they could further monetize their criminal activity by launching more widespread ransomware attacks.
In Q1 2020, for example, ransomware claims were about $60 million but had nearly doubled by year’s end. Claims continued to increase into 2021, with Q2 claims reaching nearly $190 million.
As payouts and claims increased, carriers looked for corrective actions, for example, they started to sublimate coverages like cyber extortion. Ransomware coverage changed, and in some cases was completely excluded from policies.
Healthcare organizations started to take note too, especially as they experienced their own breaches and felt vulnerable to future attacks. They responded by beefing up their cybersecurity programs and increasing ransomware awareness. By early 2022, there seemed to be a payoff for all the hard work with the 2023 Coalition Cyber Claims Report revealing ransomware claims had finally begun to slow, and along with it, the spike in cyber insurance premium rates. There was also, at last, more competition entering the cyber insurance marketplace, which helped to lower premiums.
Ransomware is Here to Stay
Moving into 2023, ransomware claims began trending upward again. Malwarebytes 2023 State of Ransomware Report found that by the end of 2022, the average number of ransomware attacks per month in the U.S. hovered around 100, but by May 2023, it doubled, hitting 212 known attacks that month.
Zscaler’s 2023 ThreatLabz State of Ransomware report found that in 2023, ransomware attacks have increased by nearly 40%.
The good news? As cyber insurance and other regulatory and compliance requirements get tougher, organizations are maturing their programs, and fewer are paying out ransom as they once did.
Still, attack frequency and severity continue to increase as bad actors work to further monetize criminal activities and attacks get more complex. A ransomware attack a few years ago may have resulted in a hacker locking up an organization’s systems and data and then demanding a ransom for a decryption key to get it back. Today, in addition to taking data hostage, attackers also threaten to release sensitive and protected data onto the Dark Web, with skyrocketing ransom payouts. The Zscaler report found that the average enterprise ransom payment exceeds $100,000, with an average demand of more than $5.3 million.
Healthcare Still in Attackers’ Crosshairs
Health systems report major upticks in their premiums and the number of cyberattacks wreaking havoc on the industry and claims activity is a major driver of increased cyber insurance rates.
Attackers know healthcare data is valuable, so healthcare remains centered in their crosshairs. Not only are healthcare breaches increasing, but they’re exposing unprecedented numbers of records. So far in 2023, there have been nearly 90 million record exposures. In July 2023 alone, breaches exposed nearly 22 million.
These numbers should be a wake-up call for healthcare organizations as the average cost of a healthcare data breach is nearly $11 million, making healthcare, once again, the most expensive of all industries in cost of a breach. If you’re a healthcare entity or a business associate that deals with healthcare-related data, expect to undergo additional scrutiny when looking for cyber insurance coverage.
Top 10 Controls to Get Coverage
So, how can you ensure you’ve got everything in place before applying for cyber insurance? The following recommended list of 10 cybersecurity controls may help you get coverage and prove you were doing what you said you would do, should you have to file a claim.
While each cyber insurance provider will have unique requirements (so be sure to read all the fine print in your policy), HUB International’s Senior Vice President, Technology & Cyber Leader Nate Hansen recently shared the following best practices on a Clearwater webinar as most cyber insurance carriers will require these :
- Multi-factor authentication (MFA) for remote/email/privileged user/cloud access
- Backups made offline from your main network
- Endpoint detection and response (EDR) tools
- Patch management procedures
- Remote desktop protocol (RDP) management/vulnerability scanning. It’s important to note here that almost every carrier now utilizes some type of vulnerability scanning tool or process as part of their underwriting practices. They may use the results of those scans to determine if your organization is eligible for coverage.
- Incident response and business continuity plans
- Email security tools/privileged account tools (i.e. Privileged Access Management or PAM tooling)
- Cybersecurity awareness training, for example, phishing and social engineering exercises
- Internal and/or external 24×7 security operations center (SOC)
- End-of-life software segmented from your main network
As ransomware and other attacks become more complex, it becomes trickier to understand exactly what you may need from a coverage perspective and how that might apply to your organization. In addition to the controls listed above, it’s also important to stay up to date on emerging trends across the threat landscape.
If you currently have coverage, don’t wait until your policy is about to expire before thinking about a renewal. Both your needs and your insurer’s coverage and claim requirements may have changed. To ensure you’re getting the best rates for the most reasonable and appropriate coverage for your organization, set aside a couple of months to shop around, have important conversations with potential insurers, and ensure you have everything in place—and that it’s documented and accurate—to complete the application process.
If you’re new to this process or want to ensure you have industry-recognized controls that work as designed, consider partnering with a cybersecurity risk analysis professional who can help you take a more comprehensive look at your organization’s unique risks and offer advice and support on how to remediate them. With the help of a trusted partner, you can build confidence that you know what your risks are and you’re proactively mitigating them.
