By Pamela Arora, Senior Vice President and Chief Information Officer for Children’s Health
Cybersecurity insurance should not be a substitute for having effective cybersecurity policies, practices and technology, any more than commercial property insurance is used to cover theft should be used as a substitute for having locks, guards and security cameras. Businesses should do everything possible to make sure that breaches will not happen by reducing their risk. Equally important is being able to demonstrate that the risks are low because of an effective cybersecurity posture that’s continuously being reviewed and improved.
That’s where the actuaries come in.
Unlike with homeowner’s insurance or auto insurance, there aren’t standard tables that look at whether the house is on a flood plain, or the driver is a student with good grades and a clean record; there is very little actuarial information for cyber insurance. Instead, the insurance quote, as with most institutional insurance programs, is heavily customized.
Fortunately, for all parties, businesses can document whether their security policies and practices conform to broadly-accepted enterprise security frameworks and standards, some of which are common across all industries, such as the U.S. Government’s NIST Cybersecurity Framework (CsF), and the American Institute of CPA’s SOC reports for assurance about the security controls of a service organization. Others are industry-specific, such as the government’s HIPAA standards for protecting patient healthcare information. Finally, some standards span all those categories, such as the HITRUST’s CSF, an industry-driven cybersecurity framework and certification platform for healthcare organizations. HITRUST’s CSF encompasses the NIST, SOC and HIPAA standards in a single framework.
Security standards and frameworks are important, especially in a field like healthcare, where the value of stolen information is high. According to The Sixth Annual Survey on the Current State of and Trends in Information Security and Cyber Risk Management, conducted by Advisen and sponsored by Zurich North America, industries with substantial PII, PHI and/or PFI — including electronic health records — consider cyber risk in general to be a more significant threat. When personal or medical data is stolen or otherwise compromised, the cost of a breach can be tremendous – which is why cybersecurity insurance exists as a product.
The process of applying for cybersecurity insurance can be onerous. I spoke with Michelle Chia, Vice President, Zurich North America, who points out that each client has unique risk factors. “Even though applications represent a lot of effort on the applicant’s part, the benefit of the carrier and the customer collaboratively understanding the company’s risk to better protect themselves through a combination of risk mitigation and risk transfer isn’t always realized.”
Knowing this, insurers often follow up with extensive interviews with the underwriter’s assessment engineers who ask, “what do you do, and why do you do it that way?” It’s an arduous process for all parties — and even with those interviews, insurers can’t accurately view the risk and the applicant can’t present their true capacity to secure their sensitive data in an accurate, and favorable, light.
That’s where a risk assessment framework comes in, Ms. Chia says, citing a program where the insurance company she represents, Zurich North America, has collaborated with HITRUST to utilize the HITRUST CSF certifications as part of the underwriter’s risk review process. In this case, certifications aren’t used only for applying for cybersecurity insurance; they are also used to satisfy external audit and compliance requirements, and internally as a security review and risk management baseline.
Ms. Chia pointed out to me that Zurich’s risk engineers – yes, they use engineers to determine IT risk and security competence – work with potential clients at no charge to assess risk in the context of gaining a cyber insurance policy. “HITRUST set the bar for an acceptable level of residual risk, reducing the need to allocate our engineers to support the application process. Zurich will still provide feedback into the policy – delivered through the framework which can then apply to all healthcare organizations. It’s a win-win-win for all parties.”
My own hospital, Children’s Health in Dallas, Texas leverages the HITRUST CSF to help make sure our third-party suppliers are cyber-safe, and that means encouraging those providers to be HITRUST CSF certified. After all, when it comes to cyber, you’re only as strong as your weakest link. We need objective measures to determine how strong (or weak) those third-party links are, and that’s where the framework comes in.
A colleague of mine, Sanjeev Sah, Chief Information Security Officer at Texas Children’s Hospital in Houston, told me the same thing: “We take a third-party vendor’s HITRUST CSF certification with a high level of confidence and therefore don’t put that vendor through a bunch of assessment hoops.”
The best possible case is to work through the risk-assessment process internally, tapping the resources of the risk management, IT and security offices, to get best possible programs in place to manage risk, implement security policies, apply controls, and have an incident response program in place – and then audit and report against it using a standard, reusable framework. In this way, the same reports used to certify that the organization has adequately addressed their business risk can be delivered to the insurance companies as means to express the same to them.
By extending the results of those efforts — the certifications — beyond the four walls of the business (like my hospital) to encompass third-party providers and insurance firms, every entity and associate operating within the healthcare ecosystem can save a lot of time and money while also improving the security posture of the entire supply chain. That lets us, for example, invest more resources to deliver better healthcare, instead of on wasting countless hours on compliance paperwork. As Ms. Chai says, win-win-win.
When it comes to cybersecurity insurance, as with all insurance, actuaries evaluate risk factors on a portfolio level to set pricing, and the underwriters assess risk on an individual account basis; together they set the insurance premiums accordingly. Businesses in all industries, not only healthcare, can manage and reduce their risk – and make themselves more attractive to underwriters – by conforming to widely-accepted cybersecurity standards and frameworks. The cost of cybersecurity insurance is high, but that, too, can be managed.