Cyber Security Insurance— The New Importance of Good Cyber Hygiene

In the radiologist space, the average payout is closer to $3 to $5 million. Many of those payments could have been avoided.

Connor Boudart
Area Vice President, Arthur J. Gallagher
November 8, 2022

Historically perceived as a relatively low risk and easy to secure line of coverage, recent developments in the global cyber threat environment have forced significant changes in the cyber liability insurance market, particularly in health care. The frequency and severity of breach and ransomware events continue to trend upwards, putting upward pressure on premiums, encouraging underwriters to restrict the scope of coverage, and renewing the emphasis underwriters place on robust cyber security controls as a prerequisite of securing coverage. Strategic Radiology (SR) kicked off a webinar series with partner Arthur J. Gallagher (AJG), to understand the market and explore strategies that mitigate risk and costs.

According to Dean Gereau, cyber insurance expert and Area Vice President with AJG, the preceding two decades of relatively small and infrequent claims has led to a “soft market” in cyber liability, meaning the industry was well-capitalized and enjoyed a healthy competitive environment of multiple carriers writing this line of coverage. The effect was downward pressure on renewal premiums and general broadening of the scope of coverage.

“That trend reversed beginning in 2019 and 2020 and picked up steam in 2021 and 2022,” he said. “The insurance industry has seen a contraction and a bit of a hard market with cyber liability, and health-care risk has been particularly hard hit.”

As a result, radiology practices, which are more technology dependent than the average family practice, are seeing:

  • Material premium increases
  • Fewer insurers willing to offer this coverage
  • Underwriters exhibiting more scrutiny in what risks they are willing to take
  • Underwriting processes are more arduous
  • Restrictions in the types of coverage offered

The Current Cyber Scenario

Mr. Gereau’s colleague Connor Boudart, also an AJG area VP specializing in cyber risk, provided some color and numbers to characterize the current scenario in cyber risk. He shared the following data from the SOPHOS 2022 State of Ransomware Report, which surveyed 4,000 health care entities:

  • 66% of health care organizations experienced ransomware attack
  • 61% of those attacked paid
  • Average total cost of a data breach was $9.23 million

“In the radiologist space, the average payout is closer to $3 to $5 million,” he said. “We will go through this, but many of those payments could have been avoided.”

The factors contributing to the increased cyber risk include ransomware attacks, zero-day exploits (eg SolarWinds, Log4j), and Microsoft Exchange vulnerability. “They have all ravaged the cyber marketplace, and unfortunately it’s really hard to predict zero-day exploits because they are not known vulnerabilities,” Boudart said. The war between Russia and Ukraine and the resultant cyber conflict is also a growing concern, as are what her characterized as “Cyber Doomsday” scenarios, such as the unlikely possibility of Amazon Web Services going down.

In addition to the risks associated with cyber crime, practices need to be aware of increased regulatory pressure beyond HIPAA and the potential for fines if a practice fails to demonstrate compliance. Boudart mentioned other data handling legislation such as CCPA, New York Shield law, and the Illinois Biometric Privacy Act. In short, the regulatory framework relevant to a healthcare practice’s cyber liability risk assessment has grown alongside the nature and extent of extant cyber threats.

Insurance Company Response

The most noticeable response of the insurance companies has been premium increases: 45% median rate increase in the last quarter of 2021; 45% median rate change in Q2 of 2022. But there have been many other changes, including the addition of potential sublimits on ransomware, cyber crime, business interruption, and reputational loss coverages. He said that these coverage limitations “didn’t exist a few years ago, but companies are now adopting them especially if your control environment is not up to snuff,” Boudart said.

Also, coverage limitations are proliferating the policy language, such as exclusions on claims arising from failures to implement software patches in a timely manner, claims arising from widespread, known cyber vulnerabilities events, and ransomware events. “Things that used to always be covered are commonly now excluded or have co-insurance associated with them,” he said. “Ransomware is definitely what is on everyone’s mind.”

Furthermore, radiology practices will likely see a new war-and-terrorism exclusion coming at turn-of-year centered on the war in the Ukraine. ”Similar to what is happening with coastal insurance in Florida, we are moving towards a lack of insurability in some areas.  With risks leaving the marketplace and carriers getting rid of some coverages,” Boudart said. He predicted that the industry would continue to see additional coverage restrictions, as insurers seek to trim their policies of any coverage that is not strictly limited to standard cyber exposures.

Finally, practices will continue to undergo increased scrutiny during the underwriting process. “If you are going through an application process, you might notice it is significantly more extensive than previous years, some of our clients are seeing as many as five times the amount of questions and a scanning element added,” cautioned Boudart. The insurers “are scanning your networks to find potentially exposed vulnerabilities, similar to how a potential threat actor  would before launching a cyberattack.”

The takeaway for radiology groups is the need to implement comprehensive programs to protect against a cyber event. “The insurance process is very black and white—you either have a control or you don’t,” he said. “Insurers are not looking to read between the lines.”

As such, early and thorough efforts with your existing risk consultant to ensure your cyber control environment is as robust as possible before approaching your insurer for renewal terms will often pay dividends in program results.

Potential Scenarios and Controls

Mr. Boudart shared the top three potential radiologist claim vectors: dependent business interruption (when the hospital system goes down, rendering you unable to work), employee vulnerabilities (downloading an attachment they should not have), and social engineering (a criminal posing as a colleague or business partner). “Probably biggest exposure is going to be hospital business interruption, as many radiologists operate behind the hospital’s network,” Boudart said. “If the hospital is hit by a ransomware, cyber insurance should kick in, and protect against lost income.”

Radiology practices have many options when it comes to  implementing proper cyber controls:

  1. Managed Services Provider (MSP). Hiring an MSP can be a simple yet often costly option. A dedicated third party cyber vendor management contract is “going to be the best at optimizing because they are working on the implementation of a wide variety of controls on a daily basis,” said Boudart. “This can be challenging to manage for internal IT and IS staff when you have so many different vendors for different functions.”
  2. Vendor segmentation. Choosing  vendors for the services you need on a best-in-class basis will be cheaper, but will require more work on the part of the practice and runs the risk of poor system integration.
  3. In-House IT Management. Practices may elect to hire and staff their own internal IT/IS team to ensure proper cyber security practices.

“There are a lot of controls that are important to insurers,” noted Mr. Gereau. “But multi-factor authentication (MFA) for network access, remote email access and back-up systems may be most critical,” he said. “MFA has always been good risk management advice for a cyber hygiene program but moving forward, it will be extremely difficult to get an insurance company to issue a quote for a radiology group that doesn’t have MFA in place.”

Mr. Boudart agreed. “MFA is so important, that it’s plausible we one day move towards more than two forms of authentication,” he said. “The more authentication layers you can add the more secure you will be.”

The Bottom Line

Pricing in this space is evolving rapidly. The second and third quarters of 2022 have posted average rate increases of 40% on renewals without claims and with optimal cyber security controls. Additionally, policies are not homogenous in the radiology market, Mr. Gereau notes, as each practice will need to evaluate their cyber risk appetite and preferred level of risk transfer. “Different groups are going to have different needs,” he said. “Policies are going to be different from group to group, because not everyone needs every coverage.”

Limit benchmarking is another tool used in evaluating the appropriateness of the cyber liability program—should a practice carry $1 million or is $3 million appropriate, should it go up to $10 million? “That is a difficult question to answer because that is going to depend on the size of your practice.” Mr. Gereau said. “There are various limit benchmarking services that can help you with that. I would definitely encourage you to request that report, from whomever you are working with, and that it include peer groups with a similar practice profile.”

“Unfortunately, cyber attacks are becoming quite frequent in large organizations, and we have all been impacted one way or another,” said Barbara Deppman Perez, FRBMA, FACHE. “There are a number of organizations out there that offer the overall breadth of cyber security and the various aspects that you need in your practice. But as I was speaking with vendors and a lot of the CTOs and CIOs in our practices, I realized that cybersecurity has become exceedingly specialized and that is how we landed on a cybersecurity series, beginning with an overview from our partners Arthur Gallagher, who offer cyber insurance. We will now move on to explore various vendors and potentially identify some that we might approach to become Group Purchasing Program partners.”

Note: Strategic Radiology members who missed the presentation may access the complete recording of Part I in the Compliance section of the Member Portal, in which cyber hygiene controls (and vendors) that are important to insurers are identified, along with tips on vetting them. 

 

BACK
Subscribe to Hub
News from around the coalition and beyond

Hub is the monthly newsletter published for the membership of Strategic Radiology practices. It includes coalition and practice news as well as news and commentary of interest to radiology professionals.

If you want to know more about Strategic Radiology, you are invited to subscribe to our monthly newsletter. Your email will not be shared.