[BreachExchange] You’ve been breached, so what does that mean with cyber insurance?
destry at riskbasedsecurity.com
Thu Oct 25 01:17:58 EDT 2018
In this current threat landscape, healthcare data breaches are common
-- if not nearly inevitable. Cyber insurance policies can provide some
protection in that worst case scenario, but only if an organization
has carefully selected the right policy and carrier.
But cyber insurance isn’t some magic cure-all. As with any type of
insurance, a healthcare organization must hold up to its end of the
Here’s what Jane Harper, Henry Ford Health System’s director of
privacy and security risk management and Matthew Fisher, partner with
Mirick O’Connell had to say about the legal considerations an
organization needs after a breach.
Once a breach has been confirmed, healthcare organizations need to
tell the insurance broker as soon as possible, explained Fisher. In
that way officials can figure out if there are any potential
objections to coverage.
“The insurance broker will want a role in the investigation,” said
Fisher. “It could be immediate, and they’ll help right away or ask for
an assessment before they get someone in place. The insurance carrier
may have the tools.”
“So it’s always best to notify the carrier as soon as possible to take
advantage of these tools and experience,” he added.
As with the variances in policies and coverage, each insurer will have
its own preferences on how to handle a breach -- including the
preferred vendors and or investigators an organization must use in
case of a breach, Harper explained.
“The insurance carrier may require you to use a third-party that they
approve and that they work with on a regular basis,” Harper said. “You
may not be able to use your own investigation team and may not be able
to get outside council: that may be dictated by the insurance
It’s also important to note that the third-party is gathering evidence
on behalf of the insurance company, “so when they write the report and
finding all of those things, they’re very, very much the property of,
not just your organization, but the cyber insurance company,” she
“And the results of the investigation can possibly dictate whether
these people believe your breach or incident is covered,” said Harper.
So if an organization wants to be able to hire its own investigative
team and council, “those items need to be worked on up front when
building the contract,” she explained.
For example, imagine you own a home and have a homeowner’s insurance
policy. If there’s a fire, the insurer will hire a company to
investigate the fire and determine the cause. The investigator will
return a copy of the report to the insurer -- “working on behalf of
the insurance company,” Harper said.
The investigation may be part of the policy, but that report is for
the insurance company and may not examine those finite details a
healthcare organization needs to know -- like the type of virus,
“If you don’t want that to be the case, you need to get that upfront,” she said.
Not only that, but as the insurance company is trying to manage cost.
“We write policies sometimes, not expecting that the cost of the
policy would be more than the review as a result of the policy,” said
Harper. “At that point, now there are these issues and you’ve had an
incident, someone is about to spend money.”
Harper advised being careful when an insurance hires the third-party
investigator because “they’re trying to manage costs,” she continued.
“They may not hire the most advance team.”
In fact, Harper explained that she’s worked with forensic
organizations for her own personal capacity, and “sometimes they never
find out who did it and what exactly happened.” Consider the major
breaches at Target, Equifax, Home Depot and the like -- and how many
years it took to determine the cause.
Ultimately, organizations need to take their time with researching and
selecting the right carrier and policy.
“At the root of insurance: It’s a way to manage risk related to cyber
activity that could affect the availability and integrity of your
personal information,” Harper said. “You want a carrier who’s going to
partner with you -- not just what you’re covered for -- but what
you’re not covered for so you can develop policies to cover those
More information about the BreachExchange