Cyber Insurance Does Not Replace Need For Cybersecurity Program

February 02, 2022 - According to the Government Accountability Office (GAO), cyber insurance sales increased from 26 percent in 2016 to 47 percent in 2020. The healthcare and education sectors accounted for a significant amount of cyber insurance uptake rates.

Cyber insurance can help healthcare organizations mitigate risk and manage the fallout from cyberattacks. But Fortified Health Security’s “2022 Horizon Report” urged healthcare organizations to remember that cyber insurance is not a band-aid for inadequate cybersecurity measures.

“Having cyber insurance doesn’t take the place of a strong cybersecurity infrastructure. Increasingly sophisticated attacks continue with larger payouts that make obtaining cyber insurance more difficult — and more expensive,” the report stated.

“Insurance companies are demanding more rigorous attestations and taking additional steps to ensure minimum security standards are met. Remember, if you don’t comply with the terms of the policy, you may not be truly covered during a time of need.”

Critics say that cyber insurance incentivizes criminals to commit attacks because they know that “ransomware victims can skimp on security measures and simply pay the ransom demand, which will then be covered by insurers,” the report noted.

However, cyber insurers are increasingly requiring organizations to implement security technologies, such as endpoint detection and response (EDR) solutions, into their security architecture to mitigate risk. Some insurers will not cover expenses associated with a security incident if the organization did not implement basic cybersecurity measures.

The report likened the current state of healthcare cyber insurance to that of the financial services and retail sectors 10 or 15 years ago.

“At that time, cybercriminals targeted retail, banking and financial sectors almost exclusively for credit card data. These companies weren’t spending enough on cybersecurity protection mechanisms — people, processes and technology — to safeguard that data,” the report explained.

“Changes didn’t occur until the organizations dealing with the associated fraud created Payment Card Industry Data Security Standards (PCI DSS) and a Payment Card Industry Council. These efforts enabled the payment card industry to manage the risk and ultimately transfer liability back to the merchants who process credit cards”

Maintaining PCI compliance is similar to HIPAA in that they both require organizations to take steps to protect sensitive data from harm. The healthcare sector is going through a similar transitional period, the report suggested.

“From a cyber insurance standpoint, especially in healthcare, the threat landscape is rapidly evolving and more changes are coming,” the report predicted.

“The cyber insurance space is also undergoing rapid changes, and your cybersecurity efforts must keep pace. Organizations must be proactive, involved and prepared to maintain adequate cybersecurity insurance coverage. Be aware of renewal deadlines and ensure your security protocols are in line with coverages.”

Fortified Health Security recommended that organizations understand the allowances and limitations afforded by their cyber insurance policies and review security practices regularly. Regardless of whether an organization has cyber insurance to protect business assets, the number one priority should always be to protect patient data.

The report predicted that cyberattacks will continue to increase in volume and severity in the coming years, as suggested by 2021’s largest healthcare data breaches.

“Today, all of healthcare has a bullseye on its back and is being attacked thousands of times daily. No longer can healthcare organizations hope to not be targeted and attacked,” the report maintained.

“It’s not a question of if, but when. Prevention and mitigation are the only acceptable responses. Hoping for the best was never an acceptable position, and today is even less so.”