This US industry is ‘woefully behind’ on cyber security

This US industry is ‘woefully behind’ on cyber security | Insurance Business America

This US industry is ‘woefully behind’ on cyber security
A new report from Forrester may point insurance agents in the right direction for their next cyber insurance policy sale.

According to the analyst, the US healthcare industry is significantly underprepared for an attack on their information databases or even for an accidental data breach.

“When it comes to preparedness, they’re woefully behind and that, to me, is a concerning thing,” said Forrester analyst Stephanie Balaouras. “They’ve done it begrudgingly and they’ve done it as something that they need to comply with at the lowest possible cost, as opposed to something they really embrace.”

This is despite the fact that last year’s Anthem Blue Cross Blue Shield breach is second only to Home Depot in terms of the number of victims. The Premera Blue Cross hack, which breached 11 million customer records, is also in the top five.

In fact, a Ponemon Institute report released earlier this year shows that nearly 90% of US healthcare providers have been hit by a data breach since 2013. And the cost isn’t cheap – all told, these incidents cost the industry an average $6 billion a year.

While healthcare companies are at least improving in their purchase of appropriate insurance coverage – 50% now have a policy, according to a Marsh report – there is definite room for improvement.

Many firms are still kept away by high costs. The high number of data breaches involving healthcare companies is not lost on carriers, and reports of cyber premiums tripling for businesses in this industry is not uncommon. Deductibles are also on the rise, with some now reaching into the $25 million territory for $100 million policies.

In short, capacity is not where it used to be, says cyber insurance broker Jack Elliott-Frey of Safeonline LLP.

“[The healthcare industry] is prone to damaging losses if personal health information and payment details are exposed,” Elliott-Frey told Insurance Business America. “There is a lack of capacity here as insurers are less inclined to underwrite organizations with large amounts of patient data.”

Yet coverage is imperative, as many industry analysts predict the onslaught of cyber attacks against healthcare companies has just begun. The Forrester report also suggests that hackers will release ransomware in the coming year for medical devices or wearables.

In addition to selling coverage, insurance agents can also act as an informal cybersecurity advisor to healthcare organizations. A Wells Fargo report released earlier this month shared the most common gaps in the average company’s cyber defense. They include:
  • Not having a data breach response plan in place. While 35% of companies say they are concerned about data leaks and 25% are concerned about hackers, one in 10 said they do not have an existing response plan in place.
  • Not testing their plans. One in 10 companies that had to implement their post-data breach response plan did so without testing it beforehand, and a full 74% said they needed to revise their plan following the incident.
  • Not training their employees. Around 27% of companies do not have an employee awareness training program for cybersecurity and data privacy, and 20% of companies with fewer than 2,000 employees do.
“While companies recognize the need for cyber security and data privacy insurance, purchasing coverage is not a complete solution,” said Dena Cusick, national practice leader with Wells Fargo Insurance’s Technology, Privacy and Network Risk National Practice. “It’s also important to recognize that other factors, including testing incident response plans, employee awareness training and following established privacy policies, are all critical components of an overall risk management program.”