As organizations face increasing cyber attacks, now is the time to consider increasing protections via cyber insurance. Cyber insurance can help mitigate financial damage from cyber incidents. Currently, about one-third of U.S. companies have cyber insurance, but purchasing cyber insurance is not always straightforward. 

What to know about cybersecurity insurance

Cyber insurance or cyber liability insurance coverage (CLIC), can help policyholders cover the costs that result from a cyber attack or event. There is no set standard for what cyber insurance will cover, as such coverage can vary greatly. However, some common expenses that a cyber policy might cover include:

  • Legal costs
  • Costs of third-party claims
  • IT forensics
  • Business losses
  • Hardware replacement
  • Customer notification
  • Credit monitoring
  • Identity recovery
  • Cyber extortion (i.e. ransomware)

In general, cyber insurance covers first-party losses and some third-party claims. However, your organization needs to consider your unique needs and existing coverage before purchasing cyber coverage.

Some companies make the mistake of assuming that their general liability insurance covers cyber events. While some general liability insurance policies might have some cyber coverage, this is not always the case. 

Organizations that store and manage patient/healthcare data or ePHI should consider cyber coverage to avoid potentially millions of dollars in damages. More importantly than cyber coverage, your company should take an active role in preventing a cyber attack in the first place.

Requirements for cyber coverage

Cyber insurance providers require policyholders to have certain security measures in place to qualify for coverage. Insurers need to understand your company’s level of cyber risk before taking you on as a customer. The stronger your cybersecurity posture, the less risk you may present. 

As organizations purchase policies, executive leadership and IT/security teams will need to keep up with the above due diligence. While there is no standard set of cybersecurity controls at this time, some common examples of such requirements include Managed Endpoint Detection and Response (Managed EDR) and multifactor authentication (MFA).

Managed EDR

EDR is a cybersecurity tool that detects threats on endpoints, like servers and laptops, and cyber insurance providers are starting to require that policyholders have managed EDR in place. 

Managed EDR improves threat detection and incident response, making your organization less of a liability for cyber insurance providers.


Multifactor authentication is another cybersecurity best practice that insurance companies may look for. For organizations without MFA in place, some insurers are increasing rates drastically while reducing coverage, forcing many companies to look elsewhere for cyber insurance or implement more robust MFA protocols.

MFA places an extra layer of security around remote network access portals and e-mail like Outlook365 or Outlook Web Access, preventing cyber criminals from easily accessing corporate networks and e-mail accounts through password attacks. In the eyes of insurance companies, this extra layer makes your organization less of a risk, thus improving your cyber coverage prospects. 

Projected cyber insurance trends

As the cyber insurance landscape continues to evolve, here are some things your healthcare organization can expect in the coming months and years.

Coverage Limits

It is likely that cyber insurance providers will put additional limits on the types of cyber events that they will cover. Ransomware is a common example. The French insurer AXA recently made headlines for no longer covering ransomware claims.

Rising Premiums

Cyber insurance holders are seeing higher premiums due to the increasing cost and frequency of cyber attacks. Data breaches are becoming more widespread and severe, and in response the cyber insurance industry is adjusting not only on costs but coverage as well.

Minimum Control Requirements

Insurance companies currently set their own requirements for cyber coverage. However, there may be a demand for standardized requirements. Companies may need to have certain cybersecurity tools and processes in place before receiving cyber coverage from any insurance company. 

As cyber insurers continue to make adjustments based on industry trends and the current cyber threat landscape, IT teams will need to work with their executive leadership to mitigate risk and improve incident response.

Learn how Citizens Medical Center was able to stabilize their cyber insurance premiums while cost-effectively strengthening their cybersecurity program.