By Baxter Lee, CFO, Clearwater, and Kevin Hewgley, Senior Vice President, Lockton Companies The healthcare industry continues to be a prime target for cyber-attackers. For the 11th consecutive year, healthcare tops IBM’s “Cost of a Data Breach Report 2021” for having the highest average cost of a data breach, exceeding $9 million in 2021 compared to just north of $7 million in 2020. As we’ve learned over the past year, any healthcare organization with protected health information (PHI), personally identifiable information (PII), and other sensitive data is at risk. Ransomware continues to be among attackers’ favorite cyber weapons to get their hands on this data, and no healthcare covered entity or business associate is immune. In fact, organizations with fewer than 1,000 employees make up almost half of all ransomware attacks, and the fastest malicious software can take over an entire network in 45 minutes or less. It’s surprising that even with these well-documented cyber events wreaking havoc across the industry, some organizations still aren’t giving cybersecurity the attention it deserves. And still today, even though there’s clear evidence that the cyber insurance market is changing along with these attacks, some organizations still think because they have cyber liability insurance coverage, they don’t need to worry. The hard reality for all of us today is that while cyber insurance is helpful and needed, it’s not the shield of immunity some organizations think it may be. As ransomware attacks continue to increase, many cyber insurance underwriters now mandate ransomware supplemental applications as part of the underwriting process, as we discussed in a recent webinar. If you have coverage, you may complete traditional renewal applications as usual, but your carrier could also now require you to provide them with a copy of your financials, which you may have never had to do before. Why is that relevant? It may be due, in part, to the increasing number of cyber extortion incidents we’re seeing. In 2020, for example, there was an increase in cyber extortion incidents of almost 80% compared to the year before. In some cases, excess is more premium than primary. For example, we’re seeing instances where an organization may have $20 million in coverage and they’re paying $100,000 for the first $10 million and it’s not uncommon to see the next $10 million of excess coverage at $125,000 or $150,000. Other impacts on the industry include:
- Many carriers now require a minimum claim retention
- Co-insurance is coming into play
- Reduced capacity, including cutting limits
- Market exits
- Underwriter fatigue caused by most renewals now going out to market and increasing competition for underwriting capacity
- Other emerging risks beyond COVID such as bankruptcy, reputation and brand damage and other injuries
Across the board, we’re seeing the cyber insurance market hardening at a rapid pace, which appears to be driven primarily by the increase of ransomware attacks throughout all industries and resulting losses from those attacks. The highly publicized hacks of managed service providers (MSSPs) and critical infrastructure organizations have significantly accelerated an already firming market. And the shifting market is impacting more than just prices. We’ve also seen carriers deploy more drastic measures because of the uncertainty of potential claims activity, such as increased underwriting, limited capacity, restrictive terms and conditions, minimum security standards (multi-factor authentication, endpoint detection, backups, etc.), specific exclusions (unsupported technology, unencrypted portable devices, etc.). Furthermore, some risks are also now being forced to be fully self-insured. So now that you have a better understanding of what’s triggering changes in the cyber insurance market and what some of those changes look like, what can you do to protect yourself? First, consider partnering with an advisor who specializes in cyber risk management and cyber insurance. They can help you work with your cyber insurance broker and prepare you, well in advance, to address all the areas that need your attention long before your renewal is due, including implementing all the recommended and required controls and having necessary documentation and evidence ready. And, whether you’re partnering with an advisor or tackling a renewal or new policy yourself, here are five other helpful tips that can help prepare you organization in fighting against cyber-attacks and navigating today’s evolving cyber insurance market:
- Understand your operations
- Build a culture of cooperation and unified goals
What are your most critical assets, services, and systems? By understanding how your network and systems work, including what’s most critical to your operations, you can be better poised to mitigate losses, disruptions, impact, and response. Your Risk, Information Security, Legal, and other relevant teams should work together, not in silos. It’s important for your team members to understand which assets and processes are critical for operational resilience. Your security practices should support and enable business, with a focus on protecting and securing your sensitive data.
- Create a sense of security that’s embedded within organizational culture
Train and educate your employees about risks and impacts. Build a culture where all of your team members “Think before you click!” to help decrease risks of successful phishing attempts and ransomware takeovers. Create downstream safeguards just in case.
- Know your vendors
While identifying your critical and most important vendors is key for business continuity, you should have an inventory of all of your vendors and their security practices, including insight into who accesses and maintains sensitive and protected data, as well as your contractual and legal agreements. What safeguards do these vendors employ? Are they meeting their requirements? If any vendor is the source of a cyber breach, what safeguards and coverage do they have in place relating to response and recovery?
- Have a plan and practice
Remember, especially in healthcare, that crisis management is critical, especially for cybersecurity. Test your incident response plans often and ensure your cyber insurance policy works in conjunction with your plans. Whenever your organization, environment, or threat landscape changes, make sure to update your plans, and test and retest. We’ve seen many instances where organizational risk managers may have working knowledge of cyber insurance and requirements, but they don’t go through testing and exercises and end up falling short. It’s a common mistake. Most incident response plans don’t take into consideration whether or not you can file a claim and what’s needed. While the recommendations above are great starting points to navigating today’s cyber insurance market, the market is constantly changing, as is our threat landscape. With the increased attacks on the industry, we’re seeing that we can no longer sit back and take the approach of what happens if we experience a cyber-attack. Instead, we should shift our focus to mitigating, adapting, and responding to the when. Don’t wait until your next cyber insurance renewal is just days away. Take steps to prepare your organization well in advance so you know what’s expected and can tackle potential roadblocks before it delays-or negates-your renewal opportunity. Remember, an extension period is not always a given, so don’t delay in getting ready for your upcoming renewal. Here are a few tips that might help:
- Connect with your IT team right away
- Immediately engage with your cyber insurance broker
- Know your options
- Understand your must-haves
- Set expectations with your key stakeholders
- Test and scan
Now is the time to work with your IT team and start asking the hard questions. Where do they think the organization is vulnerable? What are the most pressing current risks? Where do they believe your organization should focus resources to close gaps? Don’t wait for your broker to reach out to you about your renewal. Begin those conversations now, even if your renewal is many months away. The sooner you start, the better off your organization will be for terms and negotiations. By engaging your broker now, you may find out that certain underwriters will no longer provide you with the coverage you need, so what are your options? Can you restructure your risk profile? What other challenges do you face? These are not issues you want to tackle a few days before your existing policy expires. While you may have a list of “must-haves” for your coverage, you may not realize that many cyber insurance underwriters also have a list of “must-haves” they also need from your organization, so it’s important to understand and prepare for the minimums they want you to have in place for coverage, for example, security controls such as MFA we mentioned earlier. You may also be asked to implement endpoint protection threat response, and often, without those two basic controls, you may find it difficult, if not impossible, to get the coverage your healthcare organization needs. This includes your senior leaders, executives, and other important decision-makers such as your board of directors. Take the time to have important advance discussions with these stakeholders, especially about the state of the current cyber insurance market and expectations and requirements, long before it’s time for them to sign off on a renewal. While you likely have minimum security controls in place as required by HIPAA or other compliance mandates, it’s also important before your cyber insurance renewal to conduct external penetration tests and security scans. It’s highly likely your carrier is already doing this. Your underwriters want assurances that you’re doing what you’re saying you’re doing and they’re likely running these types of tests in the background to see how well your security measures function. Don’t get caught off guard when they find something that puts a hole in your coverage, or worse yet, end up without the support you need if a breach occurs.