We are now well into the global COVID – 19 pandemic. The news is often grim, but we also see our communities coming together to support each other in so many ways. At HealthSure we are honored to be serving our healthcare providers. You are on the front lines of this pandemic. Struggling to fight COVID – 19 and adjust to the economic reality of “non – essential” medical needs being put on hold.
At HealthSure our promise to you is: Never Go It Alone. Now that statement is more important than ever. Please reach out to your Account Executives, Account Mangers, Risk Advisors or me. We are here as members of your team. Throughout the last few weeks we have been working for you to find solutions for issues during these unique times.
We often work with our clients for solutions that go beyond insurance. We encourage you to continue using us as a resource. Even if your question is about a policy that HealthSure does not work on, we will review it and work to find solutions to help you adjust to meet the needs of our new realities. We always want to do everything we can to assist our healthcare community.
One of our core values is Serve with a Servants Heart. We are proud to be able to serve you in any way we can. The HealthSure Team will continue to fight for you in our home offices. Words cannot express how grateful we are for the work that you are doing for our communities, and how much we appreciate the opportunity to serve you.
When it comes to managing cyber risk, we are all still relatively new at the game… including the companies you count on to pay your cyber claims.
As the frequency, severity, breadth and depth of cyber-attacks and data-breach incidents continues to rise, the insurance industry is being warned to watch what it promises to clients.
In a report titled “Insurance 2020 & beyond: Reaping the dividends of cyber resilience,” a team of consultants at PwC evaluated why is there so much skepticism over cyber insurance among insurers.
Their answers can be boiled down to these reasons:
- Cyber risk isn’t like any other risk they have ever had to underwrite
- There is limited available data on the scale and financial impact of attacks
- The difficulties are heightened by the speed with which the threats are evolving and proliferating
Of course, the PwC team’s primary concern is to help their clients – insurance companies – take profitable advantage of a rapidly growing insurance market. But in doing so, they warned them against:
- Staying on the sidelines too long and missing an opportunity estimated to reach $7.5 billion in paid premiums by the end of 2020
- Jumping in and amassing excessive concentrations of cyber risk without taking into account their ability to withstand a fast sequence of high loss events
- Ignoring the considerable cyber exposures that already exist within their technology, errors & omissions, general liability, and other more traditional business lines
So, what does this mean to rural and community hospital decision makers and their boards?
Overall, what it means is your cyber insurance may not always do what you think it should. Like the insurance carriers, the more you are aware that cyber risk is far more fluid, volatile and complex than traditional forms of risk, the better off you will be.
The PwC team offers eight ways for insurers, reinsurers and brokers to make cyber insurance more sustainable while enjoying profitable growth. In the spirit of one of our greatest passions, helping our clients beat big insurance at their own game, let’s explore the implications of their recommendations for you and your hospital.
PwC Recommendation What PwC says this means to insurance companies (abridged) What (I think) this means to you and your hospital 1. Judging what you could lose and how much you can afford to lose
- Pricing will continue to be as much of an art as a science in the absence of robust actuarial data
- It may be possible to develop a much clearer picture of your total maximum loss and match this against your risk appetite and risk tolerances
- This could be especially useful in helping you judge what industries to focus on, when to curtail underwriting and where there may be room for further coverage
- The premiums you are willing to pay should depend upon a clear understanding of what your insurance contract(s) covers.
- You need to determine – with the help of an insurance expert – what risks you are vulnerable to.
- Your appeal as a client to insurers may increase considerably if you are willing to assume some of the risk yourself... and, even if you aren’t, your ability to mitigate risks will enhance your appeal.
2. Sharpen intelligence
- Develop more effective threat and client vulnerability assessments, (by bringing) in people from technology companies and intelligence agencies.
- The resulting risk evaluation, screening and pricing process would be a partnership between existing actuaries and underwriters, focusing on the compensation and other third-party liabilities, and technology experts who would concentrate on the data and systems area.
- This is akin to the partnership between CRO and CIO teams that are being developed to combat cyber threats within many businesses.
- This recommendation could have been written for all rural hospitals. Knowing as much as you can about the risks you are vulnerable to – and their potential impact – is absolutely essential.
- Like the insurance companies, you are not in this alone. One of the most frequent causes of a cyber event is human error. Ongoing awareness and training is one of your most powerful strategies.
- Your board needs to know. And, they need to be willing to approve what is now an essential budget item.
3. Risk-based conditions
- Many insurers impose blanket terms and conditions. A more effective approach... make coverage conditional on a fuller and more frequent assessment of policyholders’ vulnerabilities and agreement to follow advised steps. This could include an audit of processes, responsibilities and governance... It could also include threat intelligence assessments... provided by government agencies and other credible sources. It could also include exercises that mimic attacks to test weaknesses and plans for response. As a condition of coverage, you could specify the implementation of appropriate prevention and detection technologies and procedures.
- Your business would benefit from a better understanding and control of the risks you choose to accept, hence lowering exposures, and the ability to offer keener pricing. Clients would in turn be able to secure more effective and cost-efficient insurance protection.
- Here it is in spades. You need to think strategically about cyber risk. It is not tactical, “Oh, we’ve got that handled” task. It is an ongoing management function as necessary, if not more so, than traditional functions like patient safety, quality of care, staffing, equipment and building maintenance, etc.
- Benchmarking is your friend. Knowing what your peers and other companies in your region are doing about cyber safety can give you an edge. If you are even slightly ahead of the curve, you will be deemed a better risk.
- By viewing your insurance advisor as a partner in cyber safety, and by allowing them to bring insurance company resources to bear on developing and implementing your
security, training, monitoring and response plans, you will, at the very
least, be insurable. And, at best, receive preferred pricing and terms.
4. Share more data
- More effective data sharing is the key to greater pricing accuracy. Client companies have been wary of admitting breaches for reputational reasons, while insurers have been reluctant to share data due to concerns over loss of competitive advantage. However, data breach notification legislation in the US... could help increase available data volumes. Some governments and regulators have also launched data sharing initiatives... Data pooling on operational risk, through ORIC (ORIC International), provides a precedent for more industry-wide sharing.
- Data sharing is just the start. What can really give your hospital an edge is wisdom sharing. Through associations like TORCH (Texas Org. of Rural & Community Hospitals) and national industry groups like NRHA (National rural Health Association) you can find new ways to connect and collaborate with your peers. Regardless of the challenges you face, or the new ideas you want to try, chances are someone else has been there.
5. Real-time policy update
- Annual renewals and 18-month product development cycles will need to give way to real-time analysis and rolling policy updates. This dynamic approach could be likened to the updates on security software or the approach taken by credit insurers to dynamically manage limits and exposures.
- Here is another recommendation that, with a slight twist, could have been written for rural hospitals. The twist is to see cyber safety as a dynamic, evolving, ongoing function that involves practically every department in your hospital. One that also includes outside providers and service companies.
6. Hybrid risk transfer
- While the cyber reinsurance market is less developed than its direct counterpart, a better understanding of the evolving threat and maximum loss scenarios could encourage more reinsurance companies to enter the market.
- Risk transfer structures are likely to include traditional excess of loss reinsurance in the lower layers, with capital market structures being developed for peak losses... Such capital market structures could prove appealing to investors looking for diversification and yield. Fund managers and investment banks can bring in expertise from reinsurers and/or technology companies to develop appropriate evaluation techniques.
- This one is pretty technical... which means a direct correlation to the needs and concerns of rural hospital leaders is difficult. Perhaps more useful is a discussion of what the future could bring. Take for example, the new re-insurance collaboration among rural hospitals called Community Hospital Insurance Coalition (CHIC). CHIC is an example of what can happen when hospital leaders collaborate to share risk and pool collective buying power.
- Outside the box thinking, fueled by a common desire to protect the health of rural Americans, could very easily lead to the creation of a cyber insurance coalition.
7. Risk facilitation
- Given the ever more complex and uncertain loss drivers surrounding cyber risk, there is a growing need for coordinated risk management solutions that bring together a range of stakeholders, including corporations, insurance/reinsurance companies, capital markets and policymakers. Some form of risk facilitator, possibly the broker, will be needed to bring the parties together and lead the development of effective solutions, including the standards for cyber insurance that many governments are keen to introduce.
- As the insurance industry and its current and future allies strengthen their bonds, so too will they be gaining more power.
- There is safety in numbers for the insured (that’s you!) as well. Collaboration with and within state and national organizations, and perhaps the formation of a cyber-specific rural hospital lobby group, will be essential in balancing the growing power on the insurance companies.
8. Ways to Ensure Your Cyber Insurance Works
- The development of effective in-house safeguards is essential in sustaining credibility in the cyber risk market, and trust in the enterprise as a whole. If your business can’t protect itself, why should policyholders trust you to protect them?
- Banks have invested hundreds of millions of dollars in cyber security, bringing in people from intelligence agencies and even ex-hackers to advise on safeguards. Insurers also need to continue to invest appropriately in their own cyber security given the volume of sensitive policyholder information they hold which, if compromised, would lead to a loss of trust that would be extremely difficult to restore. The sensitive data held by cyber insurers that hackers might well want to gain access to includes information on clients’ cyber risks and defenses.
- Once again, this could have been written for your hospital. Your credibility is at stake along with your financial security.
- The reality of the situation; the pervasiveness of the threat and the grim potential consequences, are evident in sharp relief. Your patients, employees and your community depend on your hospital being there when it counts. If nothing else, this recommendation, even though it is made to insurance companies, should heighten the sense of urgency around implementing an effective cyber safety plan.
Where to from here?
For hospital leaders and their boards, the starting point (if you haven’t already taken it) is to take the lead in evaluating and tackling cyber risk within your hospital. I believe the soundest advice is to create a multi-disciplinary cyber risk management team, rather than simply seeing it as a matter for IT or compliance.
If you wish to discuss any of the ideas and strategies discussed in this article, please contact us.
COVID 19 Information HUB
Have you been overwhelmed and inundated with emails about COVID – 19? We have created a COVID – 19 HUB to provide you with the most up to date information, tools and resources.
Please do not hesitate us if you have any questions or issues.
We have been getting numerous requests from our clients to set up electronic payment.
If you would like to pay via ACH, contact your Account Executive. We will send you our ACH information for you to help you set up payment.
- Pricing will continue to be as much of an art as a science in the absence of robust actuarial data