Protecting Your Hospital from Ransomware Part 3: Three Important Considerations for Your Cyber Liability Coverage

by Mark Stenmark, MHSA, FACMPE

Senior Director, Insurance Services

As the impact of record high ransomware attacks send shock waves through the insurance industry, many insurers are reassessing their exposure based on the increasing frequency of claims and mounting losses. This may mean higher premiums and deductibles, less coverage and coverage limits, and even non-renewals. Because a stand-alone, cyber liability and breach response insurance policy remains a primary component of a sound cyber security strategy, hospital and health system leaders are encouraged to check in with their cyber liability insurance broker and insurance carrier as soon as possible to review their policy in detail. Here’s three important considerations for your coverage and those conversations.

Know your organization’s risks—A comprehensive identification of your organization’s risks is the biggest challenge facing most health care leaders in this area. Every organization is different and cyber risk exposure is impacted by many factors (see sidebar). Ensure you have the policy terms and conditions and coverage limits you need. In my last blog, I outlined specific cyber security strategies that chief information officers can implement to reduce common vulnerabilities.

Know your policy details—Fully understand the implications of policy exclusions, sub-limits and aggregate limits. Ask for and expect full transparency. Review your claims history. Your broker can help you access a bi-annual loss run. If there are open claims, work to get them closed. Keep your loss run up to date. Develop your incidence response plan and business continuity plan. You also will want to ensure your carrier provides access to the staff, services and resources to support your organization before, during and after a breach, including:

• Access to assessments, education, training, on-site consulting and table-top exercises
• Access to a 24/7 hotline staffed with experts who can provide assistance
• Immediate notifications of recent breaches to help your cyber security team react quickly to the constantly changing threat landscape

As you work to understand your policy details, here’s a list of additional topics to discuss with your broker and carrier: first party expenses and third party liability, extortion losses, post-remediation services, claims handling, forensic evaluations, business interruption, lost income, extra expenses, liability and defense costs, e-crime, notification of breach costs, legal services, explicitly state data breaches, ransomware, social engineering, data recovery costs, hardware related damages, limits for credit monitoring, notification expenses, crypto-jacking, bodily injury, physical damage, hardware replacement, coverage for regulatory penalties and expenses, liability and defense costs and crime, notification of breach costs, reputational damage/public relations expenses, coverage for invoice manipulation or fraud, crypto currency and ransom management, make sure the insured does not pay a sanctioned entity, and an understanding of silent cyber exclusions.

Connect key people and processes—A strong relationship with your cyber insurance carrier, which has always been important, may be more important than ever. Consider selecting an insurer who employs their own cyber security risk assessment/risk quantification consulting experts which helps to create alignment between your cyber insurance and cyber security strategies. You’ll want to ensure that you connect key individuals in your organization with key individuals at your cyber insurance carrier and cyber liability insurance broker. For example:

• Introduce your cyber liability insurance broker to your information technology (IT) team to integrate the expert services and procedures in your insurance policy with your organization’s incidence response plan. Invite your broker to lead the meeting.
• Your cyber policy will dictate the vendors you work with during and after a breach. Make sure your IT team understands the people and processes they will need to follow. If you have strong vendor preferences, work with your broker and carrier to include them in your policy. Ask if they can negotiate discounted rates for these vendors.
• Your cyber policy may also dictate the legal counsel that represents your organization in the event of a claim. Make sure your internal legal counsel is aware of any requirements. A Duty to Defend policy ensures you control your defense counsel selection. If you have counsel you prefer, have this endorsement added to your policy and inquire about discounted rates.

A stand-alone, cyber liability and breach response insurance policy is a critical component of a sound cyber security strategy. But that is not enough. Ensure that you are speaking with your chief information security officer about the five essential questions I outlined in a recent blog post, including development of a cyber strategy roadmap, adequate funding to implement cyber security strategies, connectivity to cyber trends and regular updates for your organization and board of directors.

If you need help in any of these areas, let me know how Vizient can support you. Vizient Insurance Services has business relationships with cyber liability and breach response experts. Whether you are evaluating a broker, insurance carrier or a trusted cyber security consulting firm, Vizient has resources and information to help.