Slideshow 8 steps to ensure you have adequate cyber insurance

  • May 04 2016, 4:24pm EDT

8 steps to ensure you have adequate cyber insurance

Many healthcare organizations have data theft coverage, but policies rarely offer blanket protection and many have other coverage limits, warns Collin Hite, a security and data privacy expert at the Hirschler Fleischer law firm. Here’s what HIT executives can do to make sure they’re safe.

Everyone at risk

Cyber attacks are hitting provider organizations of all sizes and small practices are not exempt, Hite says. These practices could be easy prey because they don’t have sophisticated IT security in place and can’t afford to fight off an attack, and they typically don’t have redundant backup systems. Consequently, small practices need to look into cyber insurance, as should all providers, he notes.

Content Continues Below

Due Diligence

When purchasing coverage, be proactive to ensure you are getting the coverage you expect. Work with a broker who really knows the field, because the security environment and subsequent insurance market are changing so rapidly, says Hite, who also suggests procuring the services of a cyber insurance coverage attorney to negotiate with the broker on the policy.

Coverage holes

Cyber coverage, however, comes with limits, and not all of those limits are clear. Language in insurance policies commonly includes “sublimits,” which “can really play a game of ‘gotcha’ in the coverage,” he explains. Sublimits are caps on what the insurer will pay for certain services covered under cyber insurance. For example, payments for public relations services following a breach may be capped at $100,000, and if the breach is sizable, that won’t be enough.

Credit monitoring

Some types of cyber insurance may include sublimits on credit monitoring services. If the sublimit is $200,000 and the services cost $225,000, the provider is on the hook for $25,000. “Work with your broker and underwriter to assess your needs and costs, but it’s a best estimate, not a perfect science,” Hite advises.

Content Continues Below

Big Bucks

Breaches are prohibitively expensive; costs are everywhere. There is the cost to re-secure and rebuild a network, get legal help, conduct forensic investigations, do the PR work that includes breach notification, protective services for affected patients, extortion coverage and other liabilities. Providers may not be buying insurance that covers all of these issues, Hite warns.

Liability Costs

Provider organizations also may consider buying third party coverage to address liability claims from affected individuals. To date, most victims have not been able to demonstrate proof of harm, but if they can in future incidents, addressing those claims will cost money.


Even after providers assess whether they are buying enough coverage and can financially handle additional costs once sublimits are reached, providers must look closely at the definitions contained in the policies. “The real issue in cyber coverage is definitions of certain terms, which could exclude coverage,” Hite says.

Coverage goes into effect on the day it was bought, but in instances where a hacker already has infiltrated information systems before a policy was purchased, there may be no coverage because policies often don’t work retroactively. Hite advises buying a “retroactive date” policy that covers the organization back at least one year.

Content Continues Below

Provider Homework

Organizations with the financial and technical means should have a strong response team in place with everyone knowing what their duties are if an attack comes. Smaller providers, however, are more reliant on external help. But there is homework they can do now to be better prepared later on.

Insurers will give providers a list of available law firms for which they will pay. Pick a firm and start a relationship with the firm immediately, regardless of your organizational size, Hite counsels. This way, “you’re not figuring out things on the fly about getting forensics, a law firm and credit monitoring,” he says. “This is a risk management and brand management issue.”