An awareness of the need to incorporate cyber protection into existing Property & Casualty insurance programs is growing but planning and preparation for the underwriting submission requires a sharp focus to clearly present the risk to the cyber underwriting community.
Identifying New Risk Factors
The ever-evolving threat vectors of cyber-attacks on organizations of all sizes present unique challenges for both insureds and insurers. A 2021 study released by the International Data Corporation (IDC) found that more than one-third (37%) of organizations globally had experienced a ransomware attack during the previous year, and that 87% of those who experienced a ransomware attack or breach ended up paying a ransom at an average cost of nearly a quarter of a million dollars. Global ransomware damages were expected to hit $20 billion last year.
For hospitals and clinics, the avenues of exposure are opening further with the rise in technology being used to administer care. A growing reliance on the Internet of Things (IoT), the digital sharing of biometric data, and the increasing popularity of telehealth options are improving patient services but also forging new areas of risk.
The result has been an increase in cyber liability premiums as the marketplace reacts to these new risks. For larger organizations, there is a growing use of captives as a cost-containment strategy to offset premium increases and fund higher retentions mandated in the commercial market. However, while taking a higher self-insured retention may bring some premium savings, it can be difficult to project expected losses and is far from an ideal strategy for mid-size or smaller health care organizations.
Staying Ahead of the Market
The broader solution is a change in thinking toward identifying risk factors appropriately, rather than cutting capacity. The key is getting an early start on renewals. By engaging the markets early and communicating frequently with a specialty broker, organizations are prepared for shifts in risk and the resultant cost impacts.
An early start also allows an organization to implement any remediation necessary for maintaining insurability in the market. This means getting impacted stakeholders involved up front to accurately assess areas of concern, determine corrective actions, and budget for them. This can be as simple as implementing consent forms where none existed previously or may involve more complex security upgrades.
For organizations with multiple lines of coverage, it is essential to develop an early focus on cyber needs to spot red flags and develop strategies to fix these areas. This requires making an open and honest assessment of potential shortcomings in your IT (Information Technology) capabilities—what may have been good enough last year is often simply not good enough anymore. IT buy-in is essential. Providing technical data an underwriter needs is of the utmost importance. Satisfying rigorous underwriting results in less coverage restrictions and better than average rate increases.
Leveraging Expertise
In this rapidly changing landscape being proactive and maintaining open communications with your broker will yield better results, even if that just means eliminating surprises. With the rising complexity of new threats, even organizations with excellent controls are still facing stringent underwriting challenges based on the quality of risk.
For hospital systems, the impacts of a ransomware or other cyber breach can be especially devastating—often, a literal matter of life or death. These organizations need to recognize that this is critical infrastructure and thoroughly implement best practices to protect data, minimize losses and insulate themselves against high dollar claims and legal action.
Want to learn more?
Find Brad Gabbard on LinkedIn, here. Find Sharon Scheuermann on LinkedIn, here. Find Rob Rosenzweig on LinkedIn, here.
Connect with Risk Strategies Health Care team at healthcare@risk-strategies.com
Connect with Risk Strategies Cyber Risk team at cyber@risk-strategies.com
Email us directly at bgabbard@risk-strategies.com, sscheuermann@risk-strategies.com, or rrosenzweig@risk-strategies.com