Cyber insurance in action: Insights and cautionary tales
In July we invited Petra Lucioli, Claims Manager at Delta Insurance, to share her insights on cyber insurance claims at the PHO CIO Forum. Petra has been looking after cyber insurance claims for six years and had some useful (and frightening) insights to share with us.
What is cyber insurance?
Firstly, what is cyber insurance for? The Delta Insurance website says, “Cyber insurance protects you against liabilities arising from data protection laws, management of personal data and the consequences of losing information.” Responding to a cybersecurity incident can be extremely costly because if patient identifiable health data has been compromised, this is considered a privacy breach.
How is the health sector affected?
The health sector is in the top five industries for cyber-attacks because the data is sensitive and, therefore, more valuable.
The health sector is also at risk because of the high interconnectivity of systems. Petra pointed out that the system is only as strong as the weakest link, and this presents a big challenge when trying to protect data.
In addition, cyber security awareness and know-how is still developing within smaller providers. Petra’s recommendation to smaller providers is to be careful before outsourcing your systems, and make sure you take the ultimate responsibility for making sure your providers have high levels of capability.
What are the common cyber insurance claims?
The largest volume of claims in the health sector are related to accidental error. A recent claim involved an error in transmitting data between two different organisations, which resulted in failed medical referrals. Another claim – caused by a failure of data backup – resulted in a loss of patient records.
When it comes to all industries across New Zealand, the number one claim in the last year was related to invoice fraud caused by email compromise – fraudsters gain unauthorised access to an organisation’s email account and sends out invoices to the organisation’s contacts with the scammer’s bank account details. This is unfortunately common with Office365 email breaches, which could have been easily prevented by enabling multi-factor authentication (which we gave advice on recently).
How much do claims cost?
The statistics listed below relate to the average New Zealand business, across all industries.
- Invoice fraud claims range from $15,000 – $750,000. The average claim is $50,000 – $100,000.
- Ransomware claims come in at an average of $25,000. This is compared to six years ago when they were an average of $1,000 per claim.
- The cost of data restoration depends on the size of network, but it can become substantial. It’s not only the time to recover the data, but the time to contact individuals who have been affected.
- Forensic costs can be around $5,000 per end point – you need to figure out which end the breach occurred. This is where the largest claims tend to be, for example if a network has 100 end points.
- A business may also need to pay $400 – $500 per hour in legal fees and $200 – $300 per hour in public relations fees (depending on the nature and severity of the claim).
How does cyber insurance relate to the new privacy laws?
New privacy laws come into effect from 1 December 2020 and include mandatory breach reporting and new powers on the part of the Privacy Commissioner (for example fines for organisations that breach the new law).
Petra expects to see increased media attention on privacy breaches, and the cost of privacy breaches increasing because businesses need to do more reporting on breaches and spend more time contacting individuals who have been affected.
One example she described appeared to be a straightforward situation of invoice fraud by email, which quickly became a privacy breach as well. When an attacker breaks into a user’s email account, often due to weak passwords, they can then access the entire mailbox which compromises every single email. If the mailbox contains any personally identifiable sensitive data, even though it wasn’t the original purpose of the hack, the data has been breached.
The Privacy Commissioner will likely take a view that this is now a reportable breach, and the business will need to spend time reviewing the entire email mailbox and then contacting all individuals who are impacted. You might be looking at five years’ worth of emails and you have to work out which ones have sensitive data – a very expensive exercise.
How can Patients First help?
While cyber insurance is a helpful safety net to protect your organisation from financial risk, it is only a backstop and you should also invest in resilient cyber security defence measures to prevent breaches and respond effectively to incidents.
Please do not hesitate to contact Patients First if you need cybersecurity advice on the next steps to take. We also offer to PHOs a FREE one-hour security assessment of any online service(s) that you manage. Get in touch with us to arrange or to find out more.