As with any insurance, there are many factors that go into determining your premiums. Cyber liability insurance is no different, however, some healthcare organizations are seeing their insurance premiums increase even when they haven't had a breach. Why is that? Here are some of the reasons that we are seeing for the increases.
One example of a cyber liability insurance company taking a harder stance on identified risks was at a particular hospital where the insurer did an evaluation and told the hospital that they had to implement MFA within 8 weeks, or they would not be able to insure them. In order for the hospital to implement MFA, they needed to update their Cath lab because their current version could not support MFA. Updating the Cath lab was going to cost the hospital$700k, which they could not afford to do at that time.
Often, hospitals think that if they have Cyber Liability Insurance that it covers all instances of a cyberattack and that they will be covered should it happen to them. This is not always the case. You need to make sure you understand what is covered, as this may impact how you respond to certain situations. You should also be aware of the process and requirements the insurer expects in the event of an attack. Some examples to consider are below:
Your cyber liability insurance company should provide you with details about how you can meet requirements to reduce risk and premiums. There are some common things that most insurance companies will look for or require. Some include:
1. Multi-Factor Authentication – MFA is breachable but still a must do and a minimum requirement for admin accounts (if you don’t have MFA for every application, your premiums will likely be higher). Insurance companies will look at how strong your backup system is – this will drive how much the recovery costs.
2. Patch Management – additional scrutiny of the admin accounts will help – how are you managing your admin across the environment?
3. Incident Response – do you have a professional incident response plan?
4. Cybersecurity Awareness training– not just phishing training (you should do ransomware testing too)
5. Logging and monitoring – a SIEM is not enough –you need deep packet inspection and other monitoring technology
6. End of Life – don’t keep applications that are End of Life (this goes beyond servers)
7. Supply Chain – how are you vetting and managing your supply chain? Are you doing risk assessments? How do you ensure your vendors are maintaining the same security standards? Your BAAs should have the same security guidelines that you do –saying “they should be HIPAA compliant” doesn’t mean they have the same security controls in place.
There are many other things you can do to reduce your premiums, but you need to be in communication with your insurance company, have the ability to show how you are mitigating risk and include your C-Suite in your planning.
If you're looking for a full solution to comply with best practices, monitor your network to detect threats, and be able to show you can respond to an incident, I invite you to check out our Cybersecurity-as-a-Service - we can take the burden of managing your cybersecurity program off your team, and likely lower your premiums in the process.
Please reach out with any questions or for more information, contact us at info@sensato.co.