Factors Impacting Why Cyber Liability Insurance Premiums Are Increasing
As with any insurance, there are many factors that go into determining your premiums. Cyber liability insurance is no different, however, some healthcare organizations are seeing their insurance premiums increase even when they haven't had a breach. Why is that? Here are some of the reasons that we are seeing for the increases.
- Ransomware is on the rise - cyber insurers are realizing that cyberattacks are only going to get worse, so they are getting better at asking more in-depth questions to uncover how ready you are to stop an attack. You may be noticing an increase in the amount of documentation required.
- As a result of insurers asking more in-depth questions, they are identifying more areas of risk, therefore they are charging more for to be insured.
- Insurance companies have also started to do spot checks, and if you are unprepared to answer their questions, they can raise your premiums.
One example of a cyber liability insurance company taking a harder stance on identified risks was at a particular hospital where the insurer did an evaluation and told the hospital that they had to implement MFA within 8 weeks, or they would not be able to insure them. In order for the hospital to implement MFA, they needed to update their Cath lab because their current version could not support MFA. Updating the Cath lab was going to cost the hospital$700k, which they could not afford to do at that time.
Understand What Your Liability Insurance Covers
Often, hospitals think that if they have Cyber Liability Insurance that it covers all instances of a cyberattack and that they will be covered should it happen to them. This is not always the case. You need to make sure you understand what is covered, as this may impact how you respond to certain situations. You should also be aware of the process and requirements the insurer expects in the event of an attack. Some examples to consider are below:
- Will your cyber liability insurance cover the cost of paying a ransom? A Department of Treasury notice says that you may be violating national security rules if you pay a ransom, so a lot of insurance policies won't cover paying the ransom. Be clear on what your insurance provider will actually pay for.
- Some cyber insurance policies say that if you have an attack, you need to turn over operations to the insurer or they won't pay anything - this could go beyond your IT infrastructure - it could mean turning over operations of legal counsel and other departments. This could be a bad situation for you. Be sure you understand if there are any turnover requirements in your policy after a ransomware attack.
- You should have a plan for disclosing to patients that there is a potential security risk if you are under a cyberattack - this has implications for lawsuits down the road if not handled appropriately.
What are Insurers Looking for You to Do?
Your cyber liability insurance company should provide you with details about how you can meet requirements to reduce risk and premiums. There are some common things that most insurance companies will look for or require. Some include:
1. Multi-Factor Authentication – MFA is breachable but still a must do and a minimum requirement for admin accounts (if you don’t have MFA for every application, your premiums will likely be higher). Insurance companies will look at how strong your backup system is – this will drive how much the recovery costs.
2. Patch Management – additional scrutiny of the admin accounts will help – how are you managing your admin across the environment?
3. Incident Response – do you have a professional incident response plan?
4. Cybersecurity Awareness training– not just phishing training (you should do ransomware testing too)
5. Logging and monitoring – a SIEM is not enough –you need deep packet inspection and other monitoring technology
6. End of Life – don’t keep applications that are End of Life (this goes beyond servers)
7. Supply Chain – how are you vetting and managing your supply chain? Are you doing risk assessments? How do you ensure your vendors are maintaining the same security standards? Your BAAs should have the same security guidelines that you do –saying “they should be HIPAA compliant” doesn’t mean they have the same security controls in place.
There are many other things you can do to reduce your premiums, but you need to be in communication with your insurance company, have the ability to show how you are mitigating risk and include your C-Suite in your planning.
If you're looking for a full solution to comply with best practices, monitor your network to detect threats, and be able to show you can respond to an incident, I invite you to check out our Cybersecurity-as-a-Service - we can take the burden of managing your cybersecurity program off your team, and likely lower your premiums in the process.
Please reach out with any questions or for more information, contact us at firstname.lastname@example.org.