Advisen FPN

Advisen Cyber FPN - Thursday, December 22, 2022

Insurers take pulse of healthcare firms' cyber resiliency as BI losses mount


Insurers take pulse of healthcare firms' cyber resiliency as BI losses mount

By Alex Zank, Advisen

While ransomware attacks can wreak havoc on the operations of any organization, healthcare systems face unique challenges as they navigate patient care while addressing network outages. Underwriters say they have their eyes on this developing loss trend.

“Some of the potential BI [business interruption] losses coming out of health care are related to losses developing differently than models projected at the time of underwriting,” Kara Higginbotham, head of E&O and cyber national accounts with Zurich, told Advisen.

The primary difference between health care and other sectors where BI is prevalent, such as manufacturing, is the potential impact on bodily injury or medical care outcomes, explained Higginbotham.

There have been several high-profile attacks on hospital systems recently. One of those victims is CommonSpirit Health, ranked as the nation’s fourth-largest health system.

Any amount of network downtime can have serious implications for patient care. “What we really worry about is the inability to do our mission, which is to provide excellent care to patients and families,” Rebecca Cady, vice president and chief risk officer at Children's National Hospital, told Advisen.

Healthcare providers may delay elective surgeries or send patients to nearby hospitals while dealing with a cyberattack and system downtime. Those decisions lead to deferred income and can rack up an insured’s business interruption costs.

Ransomware criminals understand that disrupting operational systems are the key to getting paid. As such, their focus is increasingly on business interruption, experts told Advisen. Business income loss can increase the total cost of a cyber incident by as much as 30% to 45% compared to those without a BI component, Higginbotham said.

“There can be quite a substantial business income loss that is realized in the event when they’re in the process of trying to respond and deal with the intricacies of their business, such as diverted emergency room visits, that we may not be considering fully as underwriters,” said Higginbotham.

Despite the extortion demands grabbing the headlines, BI losses primarily drive ransomware claim costs, according to Lindsey Nelson, cyber development leader at CFC Underwriting.

“Cyber frequency has remained flat for us over the last five years. It’s the severity that keeps us up at night,” Nelson told Advisen. “… We’re seeing it cost 10 times the amount of what a ransomware event would cost about three years ago, so naturally the market has had to respond to that.”

In response to rising claim severity, CFC invested more in its cyber threat analysis teams rather than excluding or sublimiting coverage, said Nelson, adding that many insureds buy a cyber policy primarily for access to risk mitigation and response services.

“What’s changed is not so much an underwriting appetite, but the services that we provide around it to prevent it from happening is really the major driver,” Nelson said.

Seeing the heightened risk for healthcare organizations, cyber insurers are responding with rate increases and reduced coverage, according to Kirsten Bay, co-founder and CEO of Cysurance. Some larger healthcare organizations also see as many as 30 or 40 underwriters involved during policy renewal conversations, she said during a recent virtual cybersecurity forum hosted by the Wall Street Journal.

“We saw some healthcare organizations with a 300% to 400% per-million increase [in premiums], and they also lost coverage as well,” Bay commented. “In the healthcare sector they are being really pummeled.”

Healthcare organizations will see more favorable terms at renewal if they have appropriate security controls and a detailed response plan, experts told Advisen.

Cyber underwriters show a heightened focus on healthcare organizations’ security controls, their data management, and business resiliency plans, said Matt Chmel, chief broking officer for cyber solutions practices at Aon.

“If you’re a bad risk and you don’t have certain baseline controls, getting coverage is a significant challenge,” Chmel said. “It’s not a matter of what cost or what retention, it’s getting the coverage at all without having significant restrictions or exclusions on your policy.”

Underwriters will also request more specifics on what incident response and business continuity plans contain “from a process and income loss perspective,” said Zurich’s Higginbotham. In some cases, they will ask for a detailed business impact analysis to determine the magnitude of a business income loss resulting from a lack of network availability.

Children’s National went as far as creating its own emergency code for a cyberattack, Cady said. Code red is for a fire, code blue is for a medical emergency, and, at Children’s National, code dark is for a cyberattack. During a code dark incident, staff follow steps outlined on their employee badges. The first step is to disconnect their computer from the network.

“We realize that teaching people who use computers all day long how to respond quickly was important, because the faster you can stop the spread of this ransomware, the less lengthy of a recovery time you can have,” Cady said. And with the average downtime from a ransomware attack at 23 days, she added, “that’s a lot of patients not getting the care they need, [and] a lot of staff not able to do their jobs. That’s a big problem.”

Children’s Hospital had a good cyber renewal earlier this year, said Cady, with a policy coming in under what it had budgeted. The organization marketed its program aggressively, she said, by taking its CISO and CIO to meetings with underwriters.

As for security controls, carriers now consider multifactor authentication (MFA) a “purity test,” and include it on applications as a prequalification question, according to Rob Panza, CFC’s senior health care underwriter. Underwriters additionally check for robust security around remote desktop protocol (RDP) ports and they look closely at data management strategies, such as how an applicant protects and stores data.

Underwriters also examine whether an insured demonstrates a good attitude toward cyber risk management. “We can see that by even the way they fill out an application, [through] how much detail they put in about the controls they’re offering,” Panza said. “Do they just check the boxes, or do they give you a nice dissertation about how they go deep and do their due diligence here?”

Reporter Alex Zank can be reached at