The value of cyber insurance for health care providers
by RSM US LLP
ARTICLE | August 24, 2023
Health care organizations that understand their cyber insurance coverage have much to gain in mitigating cybersecurity risks for their organization. However, understanding coverage is only the beginning when it comes to safeguarding sensitive data. Organizations that fail to continuously monitor their coverage become at risk due to escalating security challenges.
According to the National Association of Insurance Commissioners, data breaches increased by 68% from 2020 to 2021, due in part to health care providers embracing the pandemic-era realities of virtual care and remote work. Unfortunately, when quickly implementing technologies during this transition, organizations may have overlooked some security vulnerabilities.
Many organizations have found, insurance can provide a variety of protections and benefits, including:
In the event of cyber incidents such as phishing schemes, malware attacks, and unauthorized access to computer systems. Health care organizations are prime targets for cybercriminals due to the sensitive and valuable patient data they possess. In the event of a breach, coverage can be provided. Health care organizations hold vast amounts of sensitive patient data, including Health Insurance Portability and Accountability Act-protected health information and personally identifiable information.
Risk management services and incident response support.
With some cyber insurance policies, insurers can help health care organizations assess their cybersecurity posture, identify vulnerabilities and develop risk mitigation strategies.
Alignment with data protection and privacy regulations.
Such as HIPAA in the U.S. and the General Data Protection Regulation in the European Union. Cyber insurance policies can be tailored to align with these regulatory requirements and provide coverage for potential fines and penalties resulting from inadequate oversight.
Coverage for unforeseen risks associated with third-party vendors.
This applies to incidents arising from the actions of third parties or breaches of their systems when the incident affects the health care organization.
The cost of cyber insurance can vary significantly, depending on various factors specific to each organization. These include organization size, industry sector, annual revenue, the extent of coverage desired, past cyber incidents, cybersecurity measures in place, and the level of risk associated with the organization's data and operations. In addition, multiple types of coverage are available, including the following:
Focuses on the direct losses and expenses incurred by the insured organization as a result of a cyber incident. It typically includes (but is not limited to) data breach response cost, business interruption losses, data restoration, and crisis management and public relations.
Data breach response costs
Covers expenses related to breach investigation, notification of affected individuals, credit monitoring services, public relations, legal fees, and regulatory compliance.
Focuses on liabilities and expenses arising from claims by third parties affected by a cyber incident. It typically includes (but is not limited to) privacy liability, network security liability, media liability, and vendor or business partner liability.
Specifically designed to address financial losses resulting from cybercrimes such as fraudulent funds transfer, social engineering, or electronic theft.
Organizations should carefully assess their cyber risk profile and consult with insurance professionals to determine the most appropriate types and levels of coverage for their specific needs. Cyber insurance policies can vary in terms of coverage limits, exclusions, deductibles, and additional services, so it's essential to review and understand the terms and conditions of the policy before purchasing.
While cyber insurance provides valuable protection against cyber risks, some potential disadvantages include:
Premiums can be expensive, especially for organizations with higher levels of risk or requiring extensive coverage. The cost may vary based on factors such as the organization's size, industry, cyber risk profile, and desired coverage limits. For some organizations, the cost of cyber insurance may outweigh the potential benefits.
Coverage limitations and exclusions.
Limitations may vary from policy to policy, and it's important to carefully review the terms and conditions to understand what is covered and what is not. Common exclusions may include certain types of cyber incidents, preexisting vulnerabilities, acts of war or terrorism, or fraudulent acts by employees.
Cyber insurance policies may impose specific requirements on organizations to maintain certain cybersecurity standards and risk management practices. Failure to meet these requirements could result in reduced coverage or denied claims. Compliance with these requirements may involve additional costs and efforts for organizations to ensure ongoing adherence.
A false sense of security.
Cyber insurance should not substitute for robust cybersecurity measures. Some organizations, mistakenly assuming that having insurance means they are fully protected, may neglect essential preventive measures. It is critical to have comprehensive cybersecurity practices in place, including regular risk assessments, employee training, incident response plans, and strong technical controls, in addition to having insurance coverage.
"Cyber insurance is a great risk treatment strategy within an organization’s risk management program. Health care organizations can prevent missing out on potential cyber policy benefits by reading their policy first, followed by performing rigorous periodic cyber assessments to challenge the organization’s cyber posture."
Jason Pymento, Manager, cyber strategy, risk and compliance at RSM US LLP
Premiums for cyber insurance can range from several thousand dollars to hundreds of thousands of dollars per year. Small businesses with lower revenue and fewer cyber risks may be able to find coverage at the lower end, while larger organizations with higher revenue and more complex cyber risk profiles, including health care organizations, can expect to pay significantly higher premiums.
It's important to note that cyber insurance premiums are not the only cost associated with cyber insurance. The policy may specify deductibles, copays, or other cost-sharing arrangements. Additionally, some policies may have separate sub-limits for specific types of losses or expenses, such as legal defense costs or public relations services, which could affect the overall cost.
Fortunately, with the right cybersecurity strategy, it’s possible to lower insurance premiums and maximize the value of a cyber insurance package. The following actions add value to an organization’s risk management policies and practices, and underwriters take them into consideration when determining cybersecurity premiums:
- Adopt a cybersecurity framework such as CIS (Center for Internet Security), NIST (National Institute of Standards and Technology), ISO 27001, and SOC 2 (System and Organization Controls).
- Enable multifactor authentication.
- Develop an incident response plan.
- Ensure secure data backup.
- Conduct regular penetrating testing.
Organizations should consider cyber insurance costs as part of their overall cybersecurity budget and risk management strategy. While cost is a factor, it should be weighed against the potential financial losses and liabilities that can arise from a cyber incident, as well as the value of the coverage and risk mitigation services provided by the policy.
Call us at (360) 734-4280 or fill out the form below and we'll contact you to discuss your specific situation.
This article was written by Michael Haas, Danny Schmidt, Ron Ritenour and originally appeared on 2023-08-24.
2022 RSM US LLP. All rights reserved.
RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/about us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.
Larson Gross PLLC is a proud member of the RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.
Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise and technical resources.
For more information on how Larson Gross PLLC can assist you, please call (800) 447-0177.