As data breaches happen more frequently and cause more damage – both in terms of cost and care quality – having a strong cyber-insurance policy becomes increasingly critical. What health systems are finding, however, is that the process has become more costly and onerous than ever before.
“It’s much more extensive in terms of what they’re looking for,” said Brian Cayer, CISO at Wellforce, whose team recently contracted with a new cyber-insurance carrier. Whereas in the past, the application process involved generalized questions such as, ‘do you have anti-malware capabilities’ and ‘what type of framework are you aligned with,’ now, it’s a different story. Not only are there much more questions — Cayer estimated it at 300 — but the topics are more granular, and there are follow-ups.
“They’re looking for specific areas and controls,” he noted. In fact, “we had to put together an entire presentation about our overall security program for three dozen underwriters and walk them through it.”
Sanjeev Sah, CISO at Centura Health, had a similar experience, adding that insurers are “diving deeper” than in previous years, and that leaders can expect this to be the new normal. During a recent panel discussion, Sah and Cayer spoke with Jonathan Langer, Co-Founder and CEO at Medigate, about what leaders can expect when applying for cyber-insurance, what pitfalls should be avoided, and the keys to obtaining buy-in from the board.
The question many health systems have, according to Langer, is why it has become harder to purchase a plan, and why premiums have skyrocketed. And although the answer is a “confluence of several factors coming together,” the most prominent is the increased adoption of digital tools across healthcare.
Because with that growth comes heightened security concerns, Sah noted. “Some of the new products and solutions haven’t matured from a cybersecurity posture perspective.” As a result, “they’re more likely to introduce new vulnerabilities” that can make organizations more susceptible to attacks. “Given the complexity of the world – and the digital economy – in which we operate, breaches can be extremely harmful,” resulting in both a financial and reputational hit.
“When we think about the mission we have in serving and caring for patients, that’s what is at risk,” he said. “Cyber-insurance is one of the risk mitigation measures that can be taken.”
Obtaining that insurance, however, can be difficult, as there are no set guidelines on what needs to be in place, according to Cayer. “We worked with a brokerage firm which identified 12 key controls, mostly around mitigation of ransomware, and so we walked through those.”
The controls, he noted, are as follows:
- Managed Vulnerabilities
- Patched Systems & Applications
- Logged & Monitored Network
- Filtered Emails & Web Content
- MFA-Controlled Access
- Protected Privileged Accounts
- Protected Network
- Secured Endpoints
- Phishing-Aware Workforce
- Hardened Device Configuration
- Prepared & Tested Incident Response Plans
- Secured & Tested Backups
“There’s a lot of focus on managing vulnerabilities,” he added. “Regularly scanning, penetration testing, understanding and addressing vulnerabilities, patching systems and applications. A lot of it is foundational, but they want to see how well you’re doing it — and they want to see metrics.”
One of the themes that continue to surface is that when it comes to cybersecurity, it’s never safe to assume, Cayer said. “There are always new connected devices and new vulnerabilities. It comes down to, do you have a segmented network? Do you have good incident response and readiness plans? How are your backup and recovery processes? Are they air gapped? Are they encrypted? How protected are they? Do you have management around MFA for access? What accounts are being used and how often?” And the list goes on.
Working with vendors
It can be overwhelming for even the most prepared teams, said Langer, which is why he advised getting started early — even a few months before you had planned to apply for insurance — and being prepared to show, not just tell.
“You have to have real documentation of the policies you have in place,” he noted. “This is the time to brush up and make sure those documents are readily available, because they’re going to ask for validation,” which can be something like minutes from monthly security reviews or revisions of documentations.
“You need to show that you’re constantly upgrading and improving the process and that it’s a living process.” Sah concurred, adding that a third-party validation and successful certification from a security framework can also help build a strong case.
Lastly, Cayer urged attendees to be as honest as possible when meeting with cyber-insurance carriers. “You need to be upfront as to where you are,” he said. “It may affect your premiums, but if you don’t share that information, you’re not protected.”
Those high premiums, however, can make the buy-in process more arduous, particularly for organizations with limited resources. This, according to Sah, is where leaders have to leverage their communication skills. He advised attendees to position cyber-insurance as another form of risk management, an area they’re very familiar with.
“Talk about it in a way that resonates,” for example, how a disruption in service can damage the brand reputation, which can translate to big losses. “When you think about it from that perspective and convey the message in that way, I’ve found that our executives and board have been highly receptive.”
Also important, according to Langer, is setting realistic expectations when it comes to how long the process will take, and what it will cost. “People don’t want to be surprised,” he said. “You need to give them a heads up that it’s going to be more rigorous and it’s going to cost more. They need to know that ahead of time.”
Finally, keep in mind that although cyber-insurance coverage is necessary, it’s only part of the picture, noted Sah. “Cyber criminals have multiple techniques, and they’re looking to take advantage of any gap organizations might have,” he said. “Being prepared with cybersecurity controls and being effective is the ultimate first measure, and insurance coverage is an element to manage cyber risk.”
Langer agreed, emphasizing that insurance is “not a silver bullet,” but rather, “a component of the overall risk management program,” he concluded. “The building blocks of the security program should be built throughout the year. It’s continuous.”
To view the archive of this webinar — Creating the Security Environment Cyber-Insurers Are Demanding — please click here.