How cyber insurance fits into your cybersecurity posture

Person signing cyber insurance

Cyber attacks continue to increase, and the cost of these data breaches can be significant. An IBM study found that generally the average data breach costs $4.35 million. When applied to the healthcare industry, this average cost rises to $10.10 million. 

As organizations face increasing risks, now is the time to consider increasing protections.

Cyber insurance can help mitigate financial damage from these attacks. Currently, about one-third of U.S. companies have cyber insurance, but purchasing cyber insurance is not always straightforward. Here is what your organization should know about cyber insurance in 2021, as well as the future of the industry. 

What to Know About Cyber Insurance

Cyber Insurance: The Basics

Cyber insurance or cyber liability insurance coverage (CLIC), can help policyholders cover the costs that result from a cyber attack or event. There is not a set standard for what cyber insurance will cover, as such coverage can vary greatly. However, some common expenses that a cyber policy might cover include:

  • Legal costs
  • Costs of third-party claims
  • IT forensics
  • Business losses
  • Hardware replacement
  • Customer notification
  • Credit monitoring
  • Identity recovery
  • Cyber extortion (i.e. ransomware)

In general, cyber insurance covers first-party losses and some third-party claims. However, your organization needs to consider your unique needs and existing coverage before purchasing cyber coverage. Some companies make the mistake of assuming that their general liability insurance covers cyber events. While some general liability insurance policies might have some cyber coverage, this is not always the case. 

Organizations that store and manage patient/healthcare data or ePHI should consider cyber coverage to avoid potentially millions of dollars in damages. More importantly than cyber coverage, your company should take an active role in preventing a cyber attack in the first place.

Requirements for Cyber Coverage

Cyber insurance providers require policyholders to have certain security measures in place to qualify for coverage. Insurers need to understand your company’s level of cyber risk before taking you on as a customer. The stronger your cybersecurity posture, the less risk you may present. 

As organizations purchase policies, executive leadership and IT/security teams will need to keep up with the above due diligence. While there is no standard set of cybersecurity controls at this time, some common examples of such requirements include EDR/MDR and MFA (as defined below). 

  • EDR/MDR: Some cyber insurance providers require policyholders to have end point detection response (EDR) and managed detection and response (MDR) in place. EDR is a cybersecurity tool that detects threats on endpoints, like servers and laptops. MDR is managed EDR. 

Having EDR/MDR in place improves threat detection and incident response, making your organization less of a liability for cyber insurance providers. 

  • MFA: Multi-factor authentication (MFA) is another cybersecurity best practice that insurance companies may look for. Without MFA, insurers are increasing rates drastically while reducing coverage, which could force healthcare companies to look elsewhere for cyber insurance.

MFA places an extra layer of security around remote network access portals and e-mail like Outlook365 or Outlook Web Access, preventing cyber criminals from easily accessing corporate networks and e-mail accounts through password attacks. In the eyes of insurance companies, this extra layer makes your organization less of a risk. 

Improving your entire security posture will boost your cyber coverage prospects. Healthcare organizations interested in cyber coverage should consider working with a cybersecurity consultant.

Projected Trends in Cyber Insurance

The cyber insurance landscape continues to evolve. Here is what your organization can expect in the coming months and years.

  • Coverage Limits: It is likely that cyber insurance providers will put additional limits on the types of cyber events that they will cover. Ransomware is a common example. The French insurer  AXA recently made headlines for no longer covering ransomware claims. 
  • Rising Premiums: Cyber insurance holders are seeing higher premiums due to the increasing cost and frequency of cyber attacks. Data breaches are becoming more widespread and severe, and in response the cyber insurance industry is adjusting not only on costs but coverage as well. 
  • Minimum Control Requirements: Insurance companies currently set their own requirements for cyber coverage. However, there may be a demand for standardized requirements. Companies may need to have certain cybersecurity tools and processes in place before receiving cyber coverage from any insurance company. 

Cyber insurers continue to make adjustments based on industry trends and the current cyber-threat landscape. Healthcare IT teams will need to work with their executive leadership to mitigate risk and improve incident response.

To learn more, check out our cyber insurance briefing video.