H-ISAC Hacking Healthcare 9-10-19 - Health-ISAC - Health Information Sharing and Analysis Center

TLP White: This edition of Hacking Healthcare will explore the topic of cyber insurance. We will briefly discuss what cyber insurance is, what it may or may not cover, why cyber insurance lacks standardization, and what growing pains this industry is working through.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

Cyber Insurance: A Deep Dive

What cyber insurance is (and what it is not)

In simplest terms, cyber insurance is an insurance product designed to help protect an organization from cyber-related risks to their IT infrastructure, data systems, information, and reputation. Cyber insurance policies can be written to insure against a wide range of threats and can cover the costs stemming from “data destruction and/or theft, extortion demands, hacking, denial of service attacks, crisis management activity related to data breaches, and legal claims for defamation, fraud, and privacy violations.”[i]

Cyber insurance typically takes the form of either first-party or third-party liability insurance. First-party insurance is meant to protect the policyholder from direct losses related to a cyber incident. This type of protection is designed to cover immediate remediation of the issue and the follow on costs of forensic investigations, reputation rehabilitation, and more. Conversely, third-party liability insurance is meant to cover a client’s systems and networks. This coverage tends to encompass paying for a mistake that may require “reimbursement for legal fees, settlements, damages in court cases and fines that may be levied by government regulators.”[ii]

While it is important to know what cyber insurance is, it is also important to note what cyber insurance is not. It is not a replacement for a well-resourced and mature cybersecurity program. Cyber insurance should only ever be seen as a complement to an already-existing robust cybersecurity program to further protect an organization and its assets.

What should I watch out for?

The nascent state of the cyber insurance market means that the answer to this question is not straightforward. Dennis Nishi of the Wall Street Journal sums the issue up by saying that “there isn’t much standardization in the way insurers are determining risk or even defining attacks” when it comes to cyber insurance.[iii] Furthermore, the clauses insurers may include in their policies may not be as well defined or insured-friendly as purchasers may think. For example, recent high profile cases such as Modelez International, Inc., v Zurich American Insurance Company have highlighted how insurers have made use of a “war exclusion” clause to deny coverage in the context of cyber events associated with nation states or state-sponsored actors.[iv] Other policy terms that can be used to deny an organization’s coverage can be as specific as a “failure to encrypt data on mobile devices and failure to comply with PCI DSS standards” or as vague as “failure to maintain or take reasonable steps to maintain security.”[v]

However, cases like the one cited above are not the norm. In 2018, major insurance carrier Chubb paid out over 90% of their claims and the Association of British Insurers paid out 99% of theirs.[vi]^,[vii]Additionally, many policies cover issues stemming from employee mistakes such as losing a laptop or accidently falling for a malicious phishing scam.[viii]

As for onerous clauses and exclusions, by ensuring you do your due diligence when choosing a policy, you can avoid the worst of these. Cyber insurance experts routinely cite the need for organizations to involve their security teams early on in the process to comb through the policies to fully understand where gaps in coverage might exist.[ix] The rapid growth and competitive environment of the cyber insurance industry should give organizations options when looking for a policy and you should take advantage of that fact to find the best policy for your organization.

Why is there a lack of standardization and so much uncertainty?

A number of factors contribute to the uncertainty and lack of standardization inherent in cyber insurance, but there are two that appear to be the most significant. First, the cyber insurance market is experiencing a period of rapid growth. While research supports that most US-based companies do not have cyber insurance, the overall rate of cyber-insured organizations has risen significantly over the past few years with projections continuing to rise.[x]^{, [xi], [xii]} This growth has led to an explosion of firms attempting to get into the market to establish themselves early, and not all of these firms have a solid understanding of how to approach cyber risk.[xiii] Second, assessing risk for a cyber insurer is incredibly difficult. Most policy underwriters lack sufficient data to create accurate models of cyber risk, which is exacerbated by the fact that unlike natural disasters, cyber risk is constantly evolving.[xiv]^,[xv]

So where does that leave cyber insurance as a product?

With ransomware attacks increasingly making the news, and with the enormous reputational damage and legal fees that can accompany a breach, investing in cyber insurance would appear to be an easy choice. In fact, if you can afford it, it certainly is better to have it than not. However, there are some interesting growing pains for this industry that should be noted.

First, you might have invested in an insurance policy with the idea that, should you be the target of a ransomware attack, you would now be covered to restore lost files from back-ups, run forensics to find out what had happened, and ignore that ransom demand. In reality, it appears to be fairly common practice for an insurance company to recommend or insist that rather than go through the time consuming and resource intensive route of restoring from back-ups, you should pay the ransom.[xvi]

In some ways this makes sense. If you can’t afford to have your systems offline for days or weeks while restoring from back-ups and cleaning up infected devices, paying a ransom may be the quickest way to restore needed functionality. Additionally, ransomware demands have typically not been exorbitant, often being much less costly than a restoration. Nevertheless, this general policy of acquiescence to ransom demands has led to an increase in how often and how quickly ransomware attacks get paid, which is having the unintended effect of actually incentivizing further ransomware attacks.[xvii]

The growth of cyber-insured organizations is increasing the likelihood that engaging in ransomware attacks will lead to a quick pay day. As the attacks increase, cyber criminals are slowly increasing the amount they ask for, because they keep getting paid and the rising payouts further incentivize ransomware attacks. This is creating a somewhat perverse cycle wherein cyber criminals are specifically targeting organizations with cyber insurance policies for easy money.[xviii] Of course, paying the ransom isn’t a guaranteed approach. Some payments have been met by request for even higher sums once the attacker sees that their victims are willing to pay up.

It’s unclear exactly how this issue will continue to develop. It does not appear likely that a comprehensive database of cyber attacks will appear anytime soon to help insurance companies create accurate cyber risk models for their policies. Additionally, the continuous evolution of threats and technology will always lend additional uncertainty. Organizations have a lot to consider when it comes to the type of cyber insurance policy that would best suit them, but thoroughly investigating insurance options for a well-tailored policy can ultimately lead to a another layer of protection against cyber risk.