Cyber insurance provides an opportunity to address residual risk in your information security program to offset the costs due to a data breach of ePHI. However, individuals polices, coverage and exclusions are highly variable, so just like any security control it’s important to understand your security risk profile before an appropriate security insurance policy can be defined. An assessment, such as a HIPAA Security Rinalysk Asis should be the first step in any insurance policy strategy. Here’s why:
You’ll have to do one anyway. The most important factor in most enterprise cyber insurance rates is the state of your current security controls and your revenue. So not only is a security risk analysis an essential part of any robust information security program that you should be doing anyway, but this will be a factor in your rates and likely a requirement before you secure a policy.
The safest approach is to avoid a breach in the first place. Most policies will require substantial out-of-pocket expenses to be paid by the insured regardless of your coverage. No insurance can fully replace lost productivity and brand damage due to a breach. A recent study released by Carnegie Mellon University (and others), “An Empirical Analysis of Data Breach Litigation,”notes that “the odds of a settlement are found to be 10 times greater when the breach is caused by a cyber-attack, relative to lost or stolen hardware, and the compromise of medical data increases the probability of settlement by 31%.” Thus, insure against theft but still spend money on locks for your doors!
Your risk profile will enable a better tailored policy. Cyber insurance policy coverage is highly variable and configurable. Policy buyers need to be aware of what is covered and that distinct coverage, limits, and deductibles may apply for individual risk categories. In order to ensure that a policy is tailored for your individual risk profile it’s important to understand where your risk lies. Areas that can be insured typically include regulatory fines and penalties, claims and lawsuits and response costs such as breach notification for affected customers, credit monitoring, forensic analysis, legal fees, and public relations outreach.
Do you really know where your risk is? A key area of risk that a security risk analysis illuminates can be the extent that Business Associates (BA) factor into your overall risk. Our experience is that BAs often pose more risk than might be expected in terms of the amount of ePHI that they access and/or host because their security controls are not always on par with that of the healthcare organization that provided the data despite the Business Associate Agreement that is in place. This is particularly relevant when the BA is a cloud provider. A security risk analysis should clarify the extent of cloud-based and BA risk so that this critical part of the policy can be defined appropriately.
Cyber insurance can prove to be an effective tool for mitigating the fiscal impact of an ePHI data breach. With proper policy review and selection, guided by an informed view of your risk profile, it’s more likely that such a policy can achieve your objectives and be accurately scoped.