How to use cyber insurance to better transfer risk
However comprehensive a healthcare organization’s cybersecurity measures, there is still a need to transfer risk with cyber insurance as a tool to manage exposure.
Healthcare organizations are beginning to look to insurance or cyber risk transfer programs as a way to shift the risks, not just as a solution for balance sheet protection but also for contractual evidence and compliance. But how much is enough to protect against risks and insure against losses?
A prudent cybersecurity program starts by comprehensively quantifying the risk, developing cybersecurity measures commensurate with the risks and transferring or managing risk with cyber insurance. It’s also critical that cybersecurity be seen as a problem impacting the entire organization—not just the IT department, and actively involving senior management and the board of directors in key decision making and budgeting.
Less than half of the healthcare respondents’ organizations (49 percent) have cyber insurance coverage, according to the Marsh-Microsoft Global Cyber Risk Perception Survey. This number is comfortably more than the cross-industry average of 34 percent, but marginally behind financial institutions (52 percent). Quantifying cyber risks and creating greater awareness can catalyze actions to mitigate cyber risks, including increasing cyber insurance coverage.
Too often, cyber risk analysis is conducted with simplistic estimation methods based on broad assumptions that are not specific or appropriate for a given provider. While less expensive in the short term, these methods may not tell the full story and may leave an organization uninformed about its true exposure. This, in turn, may result in under-investing in the staff, solutions, training and outside resources needed to contain the threat. In my practice, we can use sophisticated scenario analysis to estimate cyber exposure, efficiently defining cyber event scenarios and estimate resulting losses using cost models tailored to specific impacts.
More than half (56 percent) of healthcare respondents in the Marsh-Microsoft survey say their organizations measure the cyber risks that they are exposed to, but a significant proportion do so by relying on qualitative methods. Three in four organizations do so with basic categories on the exposure scale or “maturity levels” to benchmark against their peers; and only a handful of those that measure cyber risk conduct economic quantification such as value at risk modeling (30 percent) and numerical rankings (16 percent of those who measure) within a fixed framework.
Considering the expected high financial impact of cyber attacks and data breaches, healthcare organizations should allocate more resources to better understanding the magnitude of cyber risks as part of their overall risk profile, through quantifying the potential impacts. Industry-specific mechanisms should be designed to safeguard against incidents as well as implement a playbook for response and recovery plans in case of breaches.
These are overlaid with an analysis of potential insurance coverage for loss of business income and multiple categories of extra expenses. The scenarios and analyses can also illuminate opportunities for improvement in cyber risk management and resiliency such as business continuity planning, incident response, and stress testing.
Quantitative, compared with qualitative, cyber exposure analysis gives hospital decision makers—including IT management, general management and the board—the information they need to make better decisions regarding cyber threat abatement measures and obtaining appropriate insurance coverage.
Cyber risk management in the healthcare industry is still too often perceived as a problem for the IT department only. Some 83 percent of healthcare respondents to the Marsh-Microsoft survey indicated that responsibility for cyber risk sits mainly in IT, and they are the primary owners and decision-makers for managing cyber risks, compared with the 70 percent cross-industry average.
While the healthcare industry understands the key role of risk management teams better than other industries, it is still crucial to distribute the management of cyber risk to a responsibility across the organization.
The next stage of focus for these companies is to transition cyber risk from being technology-focused to risk-driven, and making cyber risk a top-down company-wide responsibility that cuts across department horizontals. Risk teams and senior management must work with IT to define cyber risk-related metrics within an organization’s risk appetite. Roles such as HR and public relations also have an integral part to play in processes and communications of cyber risk management.
Moving into the future of the healthcare industry, organizations will find that legacy systems and the current way in which sensitive data are stored in the EHR are no longer sufficient for maintaining health data. Patients are likely to continuously integrate health devices, such as adding Fitbit information, downloading genetics information and feeding additional personal data through wearable and implantable technologies. In the future, they could all make up a part of a medical record.
It is also not likely to be just about health records on the server or cloud of a hospital, but also health data held on private phones. The introduction of 5G networks will contribute to the high potential for compromise. Other emerging technologies will also lead the healthcare system to evolve into a more data- and analytics-driven one that can enable healthcare organizations to translate data into information that we can base decisions on.
With these technologies on the horizon and their implications on healthcare cybersecurity, is critical for healthcare organizations continually update risk identification and quantification, utilize effective counter measures, and transfer risk where appropriate through cyber insurance. It will also be critical to make cybersecurity a central concern of the entire organization, including senior management and the board.
This article is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Marsh & McLennan Agency LLC shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting or legal matters are based solely on our experience as consultants and are not to be relied upon as actuarial, accounting, tax or legal advice, for which you should consult your own professional advisers.