November 8, 2022
Cybersecurity Liability Insurance Rates are Rising – What You Can do to Lessen the Burden
Cybersecurity liability insurance premiums are rising, sometimes exponentially. You’re likely wondering what is driving this increase and what you can do to bring your premiums down. Read below for answers to these questions and more.
Factors Impacting Why Cybersecurity Liability Insurance Premiums Are Increasing
As with any insurance, many factors go into determining your premiums. Cybersecurity liability insurance is no different; however, some healthcare organizations are seeing their insurance premiums increase even when they haven’t had a breach. Why is that?
Here are some of the reasons that we are seeing for the increases.
- Ransomware is on the rise – cyber insurers realize that attacks will only get worse, so they are getting better at asking more in-depth questions to uncover how ready you are to stop an attack. As a result, you may notice an increase in the documentation required.
- As a result of insurers asking more in-depth questions, they are identifying more risk areas; therefore, they charge more to be insured.
- Insurance companies have also started to do spot checks, and if you are unprepared to answer their questions, they can raise your premiums.
One example of a cybersecurity liability insurance company taking a harder stance on identified risks was at a particular hospital where the insurer did an evaluation and told the hospital that they had to implement MFA within eight weeks, or they would not be able to insure it. For the hospital to implement MFA, it needed to update its Cath lab because the current version could not support MFA. Unfortunately, updating the Cath lab would cost the hospital$700k, which it could not afford to do at that time.
Understand What Your Liability Insurance Covers
Often, hospitals think that cybersecurity liability insurance covers all instances of a cyberattack, and they will be covered should it happen to them. This is not always the case. You must understand what is covered, as this may impact how you respond to certain situations. You should also be aware of the process and requirements the insurer expects in the event of an attack.
Some examples to consider are below:
- Will your cybersecurity liability insurance cover the cost of paying a ransom? A Department of Treasury notice says that you may be violating national security rules if you pay a ransom, so many insurance policies won’t cover the ransom. Be clear on what your insurance provider will actually pay for.
- Some cybersecurity insurance policies state that if you have an attack, you need to turn over operations to the insurer, or they won’t pay anything. This could go beyond your IT infrastructure – it could mean turning over operations of legal counsel and other departments. This could be a bad situation. Be sure you understand if there are any turnover requirements in your policy after a ransomware attack.
- You should have a plan for disclosing to patients that there is a potential security risk if you are under a cyberattack. This has implications for lawsuits down the road if not handled appropriately.
What are Insurers Looking for You to Do?
Your cybersecurity liability insurance company should provide details about how you can meet requirements to reduce risk and premiums. There are some common things that most insurance companies will look for or require, including:
- Multi-Factor Authentication – MFA is breachable, but it is still a must-do and a minimum requirement for admin accounts (if you don’t have MFA for every application, your premiums will likely be higher). Insurance companies will look at how strong your backup system is too – this will drive how much the recovery costs.
- Patch Management – additional scrutiny of the admin accounts will help – how are you managing your admins across the environment?
- Incident Response – do you have a professional incident response plan?
- Cybersecurity Awareness training– This includes not just phishing training, you should do ransomware testing too.
- Logging and monitoring – a SIEM is not enough – you need deep packet inspection and other monitoring technology.
- End of Life – don’t keep applications that are end of life (this goes beyond servers).
- Supply Chain – how are you vetting and managing your supply chain? Are you doing risk assessments? How do you ensure your vendors are maintaining the same security standards? Your BAAs should have the same security guidelines as you; for example, saying “they should be HIPAA compliant” doesn’t mean they have the same security controls in place.
There are many other things you can do to reduce your premiums, but you need to be in communication with your insurance company, have the ability to show how you are mitigating risk, and include your C-Suite in your planning.
If you’re looking for a complete solution to comply with best practices, monitor your network to detect threats, and be able to show you can respond to an incident, I invite you to check out our Cybersecurity-as-a-Service platform. We can take the burden of managing your cybersecurity program off your team, and likely lower your premiums in the process.
Please reach out with any questions, or for more information, contact us firstname.lastname@example.org.
Laura Pursley is the marketing director at CloudWave.