[BreachExchange] Recent CyberSecurity Incidents Emphasize Importance of Cyberinsurance

[Audrey McNeil]

http://www.jdsupra.com/legalnews/recent-cybersecurity-incidents-32243/

As the threat of cyberattacks continues to pose daily threats to businesses
large and small, more companies have turned to cyber insurance products to
shore up protection against these disruptive threats. A spate of recent
incidents has highlighted the importance of taking steps to prepare for and
mitigate possible damages. As such, healthcare entities have begun
exploring Cyberinsurance as a method of aiding in better securing company
data, as well as financial security.

Cyberattacks may take several different forms and inflict various types of
damages. Most commonly, hackers have managed to access consumer private
information or protected health information (PHI) from companies.  National
retailers have recently been victimized by massive customer data breaches.
Similarly, the health care sector has seen several entities fall victim to
this type of cyberattack.

Ransomware, wherein hackers implant a virus/malware into an entity’s
network blocking access to patient information, has begun to occur with
more frequency as well. Hackers then demand a ransom payment in order to
remove the virus/malware from company systems. MedStar Health, a
10-hospital system in the Maryland region, as well as Hollywood
Presbyterian Medical Center, in California, both recently had to contend
with Ransomware attacks.

In an alarming trend, hacker cyberattacks have spread to more than just
data theft or ransomware. Johnson & Johnson recently issued a warning to
users of an insulin pump that the device may be vulnerable to cybersecurity
attacks. Horrifically, such attacks could result in a hacker infusing
incorrect doses of the diabetes medications without the user’s consent,
furthering an alarming trend of thousands of medical devices—dialysis
machines, ventilators, medication dispensers, and patient monitors—being
susceptible to data/privacy breaches, unauthorized access, and potentially
life-threatening malfunctions.

Cybersecurity threats have become a nefarious fact of life for those in the
healthcare industry. While no amount of security or diligence can
completely eliminate the threats, the industry must work to manage the
threats and mitigate their risks. Cyberinsurance is one option for these
entities. Cyberinsurance policies are often packaged with risk monitoring
and management programs and certain other benefits, such as security risk
assessments and access to data breach response experts, to assist in
shoring up an entity’s exposure. These resources are especially valuable
for small to mid-size companies, which might lack the internal capabilities
to prepare for and protect against the attacks.

Cyberinsurance policies are relatively new, so companies must conduct
thorough due diligence and carefully select products that address specific
business and insurance needs. Below is a sample list of considerations for
selecting cyberinsurance policies:

Determine desired scope of coverage—a broad policy might cover both data or
access breach incidents and business interruption.
 Ensure policy matches size, business model, and potential exposure,
including retroactive dates if necessary.
 Minimize gaps between specialty cyber policies and traditional lines of
coverage, including commercial general liability and directors and officers
insurance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161028/31426ce8/attachment.html>