The cyber insurance market has exploded in recent years, from approximately $600 million in premiums paid in 2010, to over $2 billion in 2016. It’s no coincidence that this period of rapid growth coincides with the passage of the HITECH Act in 2009, which ushered in a new area of HIPAA enforcement, including stiffer fines for violations. It’s also no coincidence that cyberattacks have been steadily increasing. 2015 saw the largest cyberattack ever with the Anthem breach, which resulted in the theft of almost 80 million records. Last year ranked second in total records breached. And, the five largest HIPAA breaches, accounting for roughly 11 million records, were all caused by cyberattacks.
Many organizations that handle PHI mistakenly assume that their general liability policy will cover them in case of a HIPAA data breach. But, insurers have been arguing – successfully in most cases – that standard liability policies were never intended to cover data breaches. Some of the successful arguments insurers have used when dismissing claims include: electronic data is not a “tangible” asset, disclosure of information cannot be assumed or proven when devices are lost, and only disclosures by the policyholder are covered; not disclosures by hackers or third-parties like Business Associates. To end any doubt about coverage for data breaches, most general liability policies sold today now contain data privacy and breach-related exclusions.
In its Cyber Insurance Buyer’s Guide, Taft, Stettinius & Hollister, LLP, states that because the cyber insurance market has grown so quickly, it lacks the level of standardization that exists with general liability policies. Of the approximately fifty or so companies issuing cyber insurance policies, there is a wide variety of terms and conditions, benefit limits, coverage categories, and of course, costs. In addition to the lack of standardization among insurers, insurance policies are interpreted under the governing state law. And, there is also wide variation in how the different policies are interpreted across states.
So, what’s an organization to do?
Shopping for your Policy
There are some basic steps every organization should take before purchasing cyber insurance. To begin, you must first understand the risks to your organization. The best way to do this is to complete a comprehensive risk analysis. This will enable you to identify how much PHI you have, where it resides, and what the unique risks are to that PHI from both within and beyond your organization.
Once you know how much data you have, how well you have that data protected, and what your unique risks are, you’ll need to figure out how much coverage to purchase. Cyber insurance usually consists of two coverage categories:
- 1. First Party Costs – These are costs incurred by your organization directly related to a breach, such as the loss of revenue due to business interruption, money spent to conduct forensic investigations, and the cost to restore computer and network functionality. When estimating your potential first party costs in the event of a breach, you should consider things like:
- How long would it realistically take to “stop the bleeding” i.e. find and stop the source of a breach?
- How long could your organization’s normal business operations be impacted?
- Would you be likely to incur costs to resume operations, such as software or hardware upgrade or replacement?
- How much would it cost to notify each person whose data was breached?
- Will you also need to provide credit monitoring services to those individuals?
- How much would you incur in attorney fees?
- How much would you pay in HIPAA fines?
- What would be the costs to other Covered Entities and Business Associates impacted by your breach?
- What about intangibles, such as the cost of harm to your reputation?
2. Third Party Costs – These are the costs for everything else; government inquiries and resulting fines, notices and credit monitoring services for impacted individuals and fees related to litigation resulting from your breach, to name a few. When estimating your potential third party costs in the event of a breach, you should consider things like:
After you’ve estimated the amount of coverage you’ll need, it’s time to go shopping. Your agent is your first stop, but not necessarily your last. Make sure your agent is up to speed on the new and quickly evolving world of cyber insurance. You should also consult with an attorney familiar with HIPAA regulations and well-versed in how your state, and any other state in which you do business, interprets these policies. Make sure the attorney also reviews how your cyber insurance coverage impacts the Business Associate Agreements you execute. For example, although not required by the Department of Health & Human Services, many Covered Entities attempt to insert indemnity clauses into their BAAs. By agreeing to these provisions, you may be unknowingly nullifying your own cyber insurance policy.
Finally, and most importantly, once you’ve selected the cyber insurance policy that’s best for your organization, make sure you take the time to read and understand the questions fully before answering. Answering questions incorrectly, or purposely lying on the application is not only fraudulent, it increases the likelihood your insurer will challenge your claim. Cyber insurance is something you never want to use, but if you do ever need to use it, you don’t want your insurer to deny your claim because of how you completed the application.