Cybersecurity Insurance – What Is It? How Does It Work?

Cyber insurance has been around for almost a decade, but  is only now becoming  a popular safeguard against hackers.

Cybersecurity insurance is an insurance policy that is designed to help with the losses from a variety of cyber incidents, such as data breaches, business interruption or network damage. Each cybersecurity insurance policy, while similar to another policy, is never exactly the same as other insurance policies.

Almost every industry, from agriculture to healthcare, is using online data for its services. The so-called “Internet of Things” (IoT) — the network connectivity of everyday objects — will lead to new capabilities that could yield a $3 trillion a year economic increase by 2025, according to a McKinsey Report. Businesses have to keep up with the rest of the market and adapt to the online world.

“Cyber Insurance has been around for many years; however, it has been mostly focused on hardware or physical damage as a result of a cybercrime so most companies do not have coverage for data loss even today,” Joseph Carson, director of Global Strategic Alliances at Thycotic, a US.-based cybersecurity firm.

“With more and more companies becoming dependent on IT and data” there has been “a significant change with data becoming more tangible and having significant monetary value where we have seen the likes of Facebook, Airbnb and Uber becoming multibillion dollar companies almost purely based on information and data,” he continued.

Cybersecurity insurance is only one arrow in your quiver used in the protection of your organization’s electronic protected health information (ePHI). It is only one part of your organization’s mitigation and it is important to remember that it is not the solution to a HIPAA security incident or a HIPAA breach event.

There are two general categories of risks and potential liabilities for ePHI breaches, those that happen within your organization and those that happen with one or more of your vendors or business associates. Since there are two categories, your organization should consider purchasing both first-party and third party cybersecurity coverage. With these two types of coverage your organization would be the first-party and your vendors and business associates would be the third parties.

First-party losses may include loss or damage to your organization’s ePHI; corrupted, lost, stolen or ransomed ePHI by loss or stealing of devices or due to a virus; network interruption or denial of service attack, or; the inability to conduct business due to an ePHI breach or loss.

Third party risks include your organization’s liability to its clients or patients, and in various states and on the federal level, regulatory investigations and fines.

What incidents might be covered by insurance?

  • Unencrypted devices
  • ePHI in the control of a third party;
  • Human error, mistakes and negligence;
  • External attacks by cyber criminals;
  • System, data center, or business process failures;
  • Malicious or criminal insiders; and
  • Credit cards.

What benefits, or protections, might be covered by insurance?

  •      Notification costs to data breach victims, media and other;
  •      Legal defense costs;
  •      Forensics and investigative costs;
  •      Regulatory penalties and fines;
  •      Revenue losses;
  •      Third party liability;
  •      Communication costs; and Productivity losses. 

There are also very specifically outlined and defined exclusions in a cybersecurity policy. They often include the following:

  •  Breaches of PHI in paper files;
  •  Claims brought by the government or regulators, including the Office of Civil Rights, the Department of Health    and Human Services, and the Office of a state’s Attorney General, plus various state’s laws;
  • Vicarious liability, for data entrusted to a third-party vendor, when the breach occurs on the vendor’s system;
  • Unencrypted ePHI; and
  • If your organization waits too long to report the event to the insurance company.

The cost of cybersecurity insurance continues to increase, as is the dollar amount deductible that your organization will have to pay up-front before any insurance payments will kick in. The deductible excess is now $25,000.00 on many policies.

Cybersecurity insurance is quickly becoming a necessity for many healthcare organizations, but it is only one piece of an organization’s mitigation. Other parts of mitigation include: a yearly HIPAA Security Risk Analysis/Assessment, a yearly internal or external HIPAA Audit, and a yearly HIPAA Security, Privacy and Breach Training, plus constant, on-going vigilance.

The need for cyber insurance is more urgent as every sector of society becomes more interconnected through internet. “Almost all data has a monetary value,” Carson stated. “Absolutely any company that is helping organizations protect and provide cybersecurity to their business and will help reduce the risk of cybercrime” will reap the rewards.

Conclusion: Your organization must understand all the provisions of the cybersecurity insurance policy before it is signed and paid for.

Litmos:  Daily Caller

« Chilcot: False Intelligence Led To Iraq Invasion Which Spawned IS
Brexit Fallout Continues – ePrivacy »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Outpost24

Outpost24

Outpost24 provides easy to deploy and intuitive solutions to continuously identify, remediate and mitigate vulnerabilities in your network.

Cyber Craft

Cyber Craft

CyberCraft is an innovative and dynamic software development, outsourcing and consulting company. Services offered include penetration testing.

Danish Maritime Cybersecurity Unit

Danish Maritime Cybersecurity Unit

The Danish Maritime Cybersecurity Unit is tasked with delivering the initiatives set out in the Cyber and Information Security Strategy for the Maritime Sector.

Extreme Protocol Solutions (EPS)

Extreme Protocol Solutions (EPS)

Extreme Protocol Solutions is an industry leading Data Sanitization Software, Hardware and Onsite Service Provider.

DataPassports

DataPassports

DataPassports is a data-centric security and privacy solution that enforces privacy and security from end-to-end with transparent protection of data at the source.

Tactical Network Systems (TNS)

Tactical Network Systems (TNS)

Tactical Network Solutions helps you discover hidden attack vectors in IoT and connected devices before someone else does.

StartupXseed Ventures

StartupXseed Ventures

StartupXseed Ventures is a smart capital provider for Deep Tech, B2B, Early Stage Startups. We support, NextGen Tech Entrepreneurs, who have potential to deliver the outsized growth.

apiiro

apiiro

apiiro invented the industry-first Code Risk Platform™ that uses developers and code behavior analysis to accelerate delivery and automatically remediate product risk.

Cybeta

Cybeta

Cybeta's actionable cybersecurity intelligence keeps your business safe with strategic and operational security recommendations that prevent breaches.

Internet Crime Complaint Center (IC3)

Internet Crime Complaint Center (IC3)

The Internet Crime Complaint Center provide the public with a reporting mechanism to submit information to the FBI concerning suspected Internet-facilitated criminal activity.

Rostelecom Solar

Rostelecom Solar

Rostelecom-Solar is a Cyber Security Company, providing software and managed detection and response (MDR) services to protect critical information from advanced cyber threats.

Cyber Management Alliance

Cyber Management Alliance

Cyber Management Alliance is closing the divide in cyberspace by bringing together the best qualities of thought leadership and operational mastery of cyber security management.

CodeLock

CodeLock

Codelock is a patent-pending solution that continuously provides software security at the code level, while providing advanced management insights with performance metrics and data analytics.

Phriendly Phishing

Phriendly Phishing

Phriendly Phishing offers phishing awareness training programs designed to ward off potential security threats and minimise the impact of cyber attacks.

Red Maple Technologies

Red Maple Technologies

Started and run by engineers from the UK Intelligence and Defence communities, Red Maple is a technical consultancy and product company.

Bedrock Security

Bedrock Security

Bedrock Security is at the forefront of revolutionizing data security in the cloud and GenAI era.