By Sumita Saxena, Senior Consultant, The Verden Group
The cyber-attack on Anthem, which left 80 million customers and employees vulnerable to identity theft, has quickly elevated the question of whether to purchase cyber risk insurance to the forefront of discussion among healthcare providers. The attack will certainly impact the market of cyber security insurance for healthcare providers, payers and others. Small to medium-sized healthcare organizations that have not considered such coverage may do so now while insurers will be re-evaluating underwriting standards and likely premium levels in the wake of the Anthem attack.
Most policies provide broad coverage for what constitutes a privacy breach, whether it results from a hacker, unauthorized access by an internal rogue employee or a laptop that was lost or stolen. Coverage can be divided into two categories: first-party and third-party costs.
Typically first-party costs involve those direct costs related to responding to a privacy breach or security failure. Such costs include forensic investigation of the breach, legal advice to determine notification obligations, notification costs of communicating the breach, offering credit monitoring to customers or patients as a result, and loss of profits and extra expenses during time network is down (business interruption).
Generally third-party costs include legal defense, settlements or damages or judgments related to the breach, liability to banks for re-issuing credit cards, cost of responding to regulatory inquiries and regulatory fines and penalties. Optional coverage can encompass underwriting for cyber-extortion, where hackers access a network and demand a ransom in exchange for not stealing data (many companies would rather pay the ransom and make the problem go away).
Larger organizations are more likely to purchase coverage than smaller ones given their access to risk managers and in-house IT security. Smaller companies, like physician practices and local clinics, may not have access to such resources and may forego coverage as unnecessary or too expensive. Data breaches, however, are continuing to garner significant attention and some insurance experts have commented that more and more small and mid-sized organizations are actively seeking out this coverage. Premiums for a $1 million plan are generally $5,000 to $10,000 annually though the cost can vary based on several factors, including company revenue, cyber-risk management efforts and the coverage chosen.
The cost of insurance coverage and breach response is minimal, however, when compared to the legal and regulatory costs associated with a data breach, which depending on the size of the attack, can run into the millions and substantially impair a company’s profitability if the response is not adequate.
Any large, well-publicized breach such as the one that struck Anthem will affect the market for cyber security insurance, as noted by industry experts, by influencing coverage terms, increasing coverage prices and making underwriting requirements more stringent, especially for healthcare companies as the industry sees more large-scale breaches. In light of these changes, it is prudent to re-assess network security and adequacy of breach notification, and to consider cyber risk insurance as an additional safeguard against the substantial cost associated with data breaches.