No Surprises Act 2022 webinar resources

Cyber Insurance Considerations for your Organization

Cyber Insurance Considerations for your Organization

Cyber insurance, also known as cyber risk insurance or cyber liability insurance coverage can help organizations protect against losses resulting from a cyberattack. Cyber insurance generally helps organizations transfer the costs involved with recovery efforts due to a cyberattack such as a security breach, a ransomware attack, or other incidents.

The frequency and impact of cyberattacks continue to rise in the United States. In their 2021 report, the Government Accountability Office (GAO) said malicious cyber activity poses a significant risk to the federal government and the nation's businesses and critical infrastructure, and it costs the U.S. billions of dollars each year. The GAO goes on to say that threat actors are becoming increasingly capable of carrying out attacks, highlighting the need for a stable cyber insurance market.

Cyber Insurance Recommendations

Because recovering from a cyberattack can be costly, the Federal Trade Commission (FTC) has published the following general recommendations to consider if your organization is thinking about cyber insurance:

  • Make sure your policy includes coverage for:
  • Data breaches such as incidents involving theft of protected health information (PHI).
  • Cyberattacks on your data held by vendors and other third parties
  • Cyberattacks that involve breaches of your network
  • Cyberattacks that occur anywhere in the world (not only in the United States)
  • Terrorist acts

Furthermore, consider if your cyber insurance provider will:

  • Defend your organization in a lawsuit against a regulatory investigation
  • Provide coverage in excess of any other applicable insurance your organization has
  • Breach reporting hotline or another mechanism to easily report a suspected breach

First-party cyber coverage generally protects your data, including employee, customer, and patient information. This coverall includes costs related to:

  • Legal counsel to determine your notification and regulatory obligations
  • Recovery and replacement of lost or stolen data
  • Customer notification and call center services
  • Lost income due to business interruption
  • Crisis management and public relations
  • Cyber extortion and fraud
  • Forensic services to investigate the breach
  • Fees, fines, and penalties related to the cyber incident

Third-party cyber coverage generally protects your organization from liability if a third party brings claims against you. This coverage may include:

  • Payments to consumers affected by the breach
  • Claims and settlement expenses relating to disputes or lawsuits
  • Losses related to defamation and copyright or trademark infringement
  • Costs for litigation and responding to regulatory inquiries
  • Other settlements, damages, and judgments
  • Accounting costs

Healthcare Compliance Pros Recommendations

While we are not recommending specific insurance companies, we do recommend discussing cyber insurance with your insurance agent. Whether your organization currently has or is considering cyber insurance, we are adding content in your Security Risk Analysis (SRA) and questionnaire so we understand any coverage your organization may have.

If you are considering coverage, we recommend using the tips the FTC has provided above to make sure your coverage is sufficient in the event of a cyberattack.