Just about any business, especially in healthcare, is likely already covered by some kind of general liability insurance. Such policies are standard, providing coverage for events such as bodily injury and/or property damage that result from the insured’s operation, product, and/or building/site. However, these types of policies were created long before the days of cybercrime. They were never meant to cover liability or loss from things like cyberattacks and data breaches. Therefore, these policies rarely if ever cover losses due to cybercrime. In fact, just about all general liability policies now come with very specific language about the fact that they do NOT cover such losses or costs due to cyber-incidents. This means many businesses have no choice but to turn to cyber insurance… and so they should.
Need proof? Just read the news and you’ll see this has been a big year for data breaches. Heck… it’s been a big week. First, there are the three separate cyberattacks just announced by British Airways, GitHub, and Slack. It was also just made public that some genius down at the Australian Department of Immigration “accidentally” emailed a list containing the passport numbers and Visa details of thirty-one world leaders, including President Barack Obama, to the organizers of the Asian Cup soccer tournament (I wish I was making this up, but I'm not).
Well played, Australia… well played, indeed. Thank you for once again proving that all the cybersecurity technology in the world is powerless in the face of human error.
And this is why more and more businesses are turning to cyber insurance.
In part 1 of this series on cyber insurance, we discussed some of the events that led to the rise of the cyber insurance market. In this second installment, we are going to take a closer look at the ins and outs of such policies.
The Cost of Cyber Attacks
A joint 2014 study on cybercrime, conducted by both HP Enterprise Security and the Ponemon Institute, came up with some pretty terrifying numbers. The average cost of cybercrime in 2010, per company, was $5.6 million. In only four years, that amount nearly doubled (an increase of 95%) to a staggering average cost of $12.7 million per company in 2014. This figure is even scarier when one considers the rapid increase in successful cyberattacks over the last four years. In 2010, there were an average 50 successful cyberattacks per company. By 2014, that average rose to 122 successful attacks per company (a gain of 144%).
The takeaway from the above survey is pretty clear—with each passing year, cybercriminals are getting better at what they do. Not only are their attacks becoming more common and sophisticated, which has led to the increased success rate, but they are becoming more costly. That’s the bad news. Now for the good news…
Unfortunately, there is no good news… sorry.
The odds of small businesses, especially in healthcare, experiencing at least some form of a cyberattack (successful or not) are just as grim as those for large corporations. This is because small businesses are viewed by cybercriminals as fairly lucrative, low-risk targets. Studies conducted by Verizon, in both 2012 and 2013, found that the majority of data breaches on businesses occurred at those that had fewer than 100 employees. The average costs of one successful cyberattack on a small business was $8,700, with most businesses being able to recover within three days. However, 12% of small businesses attacked found it took more than a week for them to recover.
For a small private practice with less than a dozen total employees, a loss of $8,700 is no joke. Even more so for some small/rural medical practices, where an amount like that could mean not being able to make payroll for the month. The annual costs of cyber insurance, by comparison, are far more affordable than those of a cyberattack or data breach.
The Cost of Cyber Insurance
As with any other sort of insurance, the cost of a cyber insurance policy will depend on a number of factors—industry type, size of business, annual revenue, and estimated risk level, among other things. Cyber insurance firm Cyber Data-Risk Managers recently released a sampling of the cyber insurance coverage and premium amounts that are common for some of their insured parties. Surprisingly, it seems annual revenues are not great indicators of coverage amounts, and coverage amounts are not very good indicators of how much premiums will be, as the below examples demonstrate:
Corporation—Hospital
Annual Revenue: $170 million
Cyber Insurance Coverage Limit: $5 million
Annual Premium: $42,000
Corporation—Healthcare Industry
Annual Revenue: $25 million
Cyber Insurance Coverage Limit: $1 million
Annual Premium: $12,900
Corporation—EHR Provider
Annual Revenue: $5 million
Cyber Insurance Coverage Limit: $1 million
Annual Premium: $8,010
Corporation—Healthcare IT Provider
Annual Revenue: $1.2 million
Cyber Insurance Coverage Limit: $5 million
Annual Premium: $15,900
Private Business—Doctor’s Office
Annual Revenue: $1.7 million
Cyber Insurance Coverage Limit: $1 million
Annual Premium: $1,800
Small Business—Doctor’s Office
Annual Revenue: $700,000
Cyber Insurance Coverage Limit: $500,000
Annual Premium: $649
When it comes to doctors’ offices, as can be seen from the final two examples above, the size and annual revenue of a practice actually does seem to have an impact on premiums/costs. A doctor’s office that brings in $1.7 million or more a year is going to pay an annual premium in the lower thousands, whereas a smaller practice is likely to only pay an annual premium in the mid to high hundreds. Either way, this means cyber insurance is a sound investment. An $1800 annual premium only comes out to a monthly cost of $150, and a $649 annual premium only comes to about $54.15 a month.
When you compare an investment of $1800/$649 to the $8,700 loss that a cyberattack is likely to cause for your business, the benefit of investing in cyber insurance coverage becomes pretty clear. However, there are still a few things you need to know before you jump into purchasing cyber insurance.
Cyber Insurance Exclusions & Pitfalls
While a good investment, you still need to make sure you also get the kind of cyber insurance coverage your practice needs. As any healthcare care provider already knows all too well, few things are as infuriating as submitting what you consider a valid claim to an insurance company only to have them refuse to pay it due to some obscure policy loophole or coverage exclusion they just “accidentally” failed to point out (of course, they didn’t “accidentally” put it into writing).
There are a number of pitfalls and exclusions you have to watch out for when it comes to purchasing cyber insurance. Some of these are things that can be negotiated with most cyber insurance providers, while others are pretty set in stone. However, it’s always best to go into any formal insurance contract knowing exactly what is and is not going to be covered.
Encryption Requirements: Just about all cyber insurance policies make encryption a requirement. This means they will refuse to cover your business for any data breaches or cyberattacks that are the result of unencrypted data or devices. For those in healthcare, to be honest, it’s a wise move to have encryption on anything that stores or transmits PHI anyway. You are not going to find a cyber insurance provider willing to negotiate on this one. No encryption = no coverage.
Reputation Harm Exclusions: Some cyber insurance providers exclude coverage for any costs related to damages to a brand’s image or company’s reputation due to a cyberattack. Unfortunately, this is pretty standard in such policies, which means it’s unlikely you’ll be able to negotiate on it.
Future Revenue Losses: While cyber insurance will cover your immediate losses and costs for a cyberattack or data breach, they often exclude coverage for unanticipated future losses after the incident has been resolved. Sometimes, this can be negotiated, but it seems that most providers are pretty set on it.
Tech Improvements: While they will most certainly cover the costs of replacing hardware or technology that is damaged or destroyed as a result of a cyberattack, they often will not cover any upgraded or improved hardware/technology.
Lost Intellectual Property Value Exclusions: Intellectual property value is one of those things that, once compromised, can honestly never be fully recovered. The projected losses for such incidents are just too problematic to calculate, meaning they’re not something most cyber insurance companies are willing to cover. It’s just too risky. Therefore, this is another exclusion that is pretty non-negotiable across the board.
Paper File Breach Exclusions: I know… one wouldn’t think “paper” when it comes to cyber insurance. However, most experts agree that any cyber insurance policy worth having can and should include coverage of protected/private data or information that is printed on paper (in addition to electronic files). This is one of those exclusions that many providers try to slip past customers. Make sure you ask about it, and make it clear that you will not sign any policy that doesn’t cover paper files (trust me, any legit cyber insurance provider will compromise on this if you demand it… if they don’t, you should probably go with another provider anyway).
Government Claims/Fines Exclusion: This is another sneaky exclusion that often gets thrown into cyber insurance policies. It more or less states that they will not cover any government fines or claims against the insured entity that result from a cyberattack or data breach. Once again, this exclusion is considered bogus by most legit cyber insurance providers. Therefore, ask about it and demand that your policy include coverage for government fines and claims. After all, what good is such a policy to a healthcare professional if it doesn’t provide compensation for the HHS fines that any PHI data breach is likely to cause?
Third-Party Liability Exclusions: Some cyber insurance providers refuse to cover you for breaches that occur due to third parties. Let’s say, for example, that you purchase a private Cloud from a third-party vendor. If that vendor is hacked and your data is breached, such an exclusion would prevent you from being covered. Some cyber insurance providers will negotiate on this one, while some will not. Therefore, it’s really up to you to decide how crucial it is to your practice. Obviously, if you do not deal with any third-party vendors, then this exclusion isn’t really that big of a deal. If you do, however, you should find a cyber insurance provider who is willing to include this kind of coverage.
I hope you’ve enjoyed this brief series on cyber insurance, and that you now feel empowered to find a policy that will best fit your organization’s needs. Remember, a little planning and research goes a long way. Shop around. Don’t just go with the first cyber insurance provider you find on Google. Do your homework. Know what they cover (and more importantly, what they don’t cover). Good luck!