Cyber insurance: Growing pains

Several recent incidents such as a 2016 ransomware attack on a cloud service provider, and the October 2016 DDoS (distributed denial of service) attack which brought down the websites of Twitter, The Guardian, Netflix, Reddit, CNN and others, demonstrate the capacity for company or industry-wide failure. 

Traditional insurance pricing approaches are inadequate

The huge potential of the market along with immature pricing models has led to inconsistencies in market activity. Some insurance carriers use their rating tools solely as a depository for data and price risks by benchmarking against similar risks. The hope is that one day sufficient data is collected and the depository can be transformed into a rating tool.

Residual cyber cover

Additionally, figures for cyber insurance are likely understated as non-cyber coverage may bleed into cyber coverage. Swiss Re has an internal process of categorizing all cyber exposure to analyse residual cyber liability exposures. London’s Prudential Regulator Authority recently published “The Prudent Management of Cyber Underwriting Risks", raising concerns about silent cyber risks arising from other, broader policies.

Source: Swiss Re Corporate Solutions

Holistic services around cyber

Swiss Re partners with IBM to go beyond cyber insurance and provide testing, recommendations and training for primary cyber insurance customers. Additionally, a partnership with a data analytics organisation provides holistic real-time analysis, and moves towards viewing the whole cyber exposure picture, including the people and processes as well as the technology of an organisation.

Challenges in healthcare

When looking at cyber insurance for healthcare providers, Swiss Re considers five key areas: Business model versus high-end security, consolidations and mergers, budgeting and staffing, medical devices, and the overall value of Protected Health Information (PHI).

Underwriters also consider the value of the PHI data at risk, with reports placing the value of healthcare records at between USD 10 and USD 70.

Underwriters want to see a process of control surrounding data categorization and access. They are fully aware that a more robust IT data security standard slows business delivery time. When physicians alone are the decision-makers there might be a lack of cyber security awareness. In budgetary terms, healthcare professionals quite rightly prioritise patient-related technology rather than securing systems.

Connected device risks

Hospitals have dozens of types of devices from different vendors, making cyber security even harder. Consolidations and mergers stack these dozens of devices, vendors, and technologies across merging organisations, multiplying the technical difficulties and IT security legacy problems.

However medical devices are exposed to the same vulnerabilities as other connected computing devices. While examples of patient injury are few, numerous security experts have demonstrated how these devices - including insulin pumps and pacemakers - can be accessed and manipulated.

Conclusion

The conditions are set for continued growth and evolution, but also for buyers and underwriters to share more and continue to endure the growing pains before the market matures.

Summary of the Centre for Global Dialogue's Transforming Healthcare event in February 2017. Summary by David M. Taylor.