Cyber insurance gaps may surprise healthcare organizations
Many healthcare organizations are turning to cyber insurance policies to help them cover costs related to information security events, but coverage is complex and may not provide blanket protection for all costs.
Policies may contain hidden coverage limits, and many times, small group practices may not realize that gaps exist in their coverage, warns Collin Hite, leader of the security recovery, data privacy and security group at the Hirschler Fleischer law firm in Richmond, Va.
Cyber attacks are hitting provider organizations of all sizes, and small practices are not exempt, Hite says. These practices could be easy prey because they don’t have sophisticated IT security in place and can’t afford to fight off an attack, and they typically don’t have redundant backup systems.
Consequently, small practices need to look into cyber insurance, as have providers of all sizes, Hite says. However, coverage comes with limits, and not all of those limits are clear. Language in insurance policies commonly includes “sublimits,” which “can really play a game of ‘gotcha’ in the coverage,” he explains.
Sublimits are caps on what the insurer will pay for certain services covered under cyber insurance. For example, payments for public relations services following a breach may be capped at $100,000, and if the breach is sizable, that won’t be enough.
Some types of cyber insurance may include sublimits on credit monitoring services. If the sublimit is $200,000 and the services cost $225,000, the provider is on the hook for $25,000. “Work with your broker and underwriter to assess your needs and costs, but it’s a best estimate, not a perfect science,” Hite advises.
When purchasing coverage, be proactive to ensure you are getting the coverage you expect. Work with a broker who really knows the field, because the security environment and subsequent insurance market are changing so rapidly, says Hite, who also suggests procuring the services of a cyber insurance coverage attorney to negotiate with the broker on the policy.
Breaches are expensive; costs are everywhere. There is the cost to re-secure and rebuild a network; get legal help; conduct forensic investigations; do the PR work that includes breach notification; protective services for affected patients; extortion coverage; and other liabilities. Providers may not be buying insurance that covers all of these issues, Hite warns.
Provider organizations also may consider buying third party coverage to address liability claims from affected individuals. To date, most victims have not been able to demonstrate proof of harm, but if they can in future incidents, addressing those claims will cost money.
Even after providers assess whether they are buying enough coverage and can financially handle additional costs once sublimits are reached, providers must look closely at the definitions contained in the policies. “The real issue in cyber coverage is definitions of certain terms, which could exclude coverage,” Hite says.
Coverage goes into effect on the day it was bought, but in instances where a hacker already has infiltrated information systems before a policy was purchased, there is no coverage because policies often don’t work retroactively. Hite advises buying a “retroactive date” policy that covers the organization back at least one year.
Organizations with the financial and technical means should have a strong response team in place with everyone knowing what their duties are if an attack comes. Smaller providers, however, are more reliant on external help. But there is homework they can do now to be better prepared later on.
Insurers will give providers a list of available law firms for which they will pay. Pick a firm and start a relationship with the firm immediately, regardless of your organizational size, Hite counsels. This way, “you’re not figuring out things on the fly about getting forensics, a law firm and credit monitoring,” he says. “This is a risk management and brand management issue.”