As new research shows that companies now rank data breaches as a more serious risk than natural disasters, HRMR asks why the threat is so great and what can be done about it.
A new study by Experian Data Breach Resolution and the Ponemon Institute shows that companies now rank cyber security risks as greater than natural disasters and other major business risks.
The August 2013 report, Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age, is one of the first to examine corporate adoption and attitudes about the rapidly evolving cyber security insurance market and how companies are managing the potential financial damage of breaches.
Respondents include senior privacy and compliance professionals involved in evaluating cyber insurance policies and corporate risk management. The top industries represented are retail, public sector, health and pharmaceuticals, and financial services.
Companies surveyed acknowledged the potential financial impact associated with security breaches. For the 56 percent that experienced breaches, the average cost of these incidents was $9.4 million in the last 24 months.
However, these costs are only a fraction of the average maximum financial exposure of $163 million that the companies surveyed (breached or not) believe they could suffer due to cyber incidents.
“We are reaching a tipping point where the majority of companies we surveyed now rank cyber security risks as being as high as other major insurable business risks,” says Michael Bruemmer, vice president at Experian Data Breach Resolution. “We anticipate that demand for cyber security insurance is likely to increase to meet evolving breach response policies.”
According to Brad Gow, vice president, Endurance, healthcare providers are at the forefront of demand for cyber liability cover.
“There is huge growth in demand for cyber insurance, and healthcare is one of the main drivers of this in the US,” he says. “The top tier healthcare organizations are all buying security and privacy insurance now and some middle tier regional healthcare organizations and smaller hospitals are following suit. They realize the need for the coverage; they are reading about fines and penalties in the press and seeing an increase in consumer class actions arising out of these publicized breaches.”
Bob Parisi, Marsh’s network security and privacy practice leader, says there are two main factors driving demand for cyber liability coverage. One of these is that fact that protected health information (PHI) has surpassed or exceeded financial information as a target for criminals, becoming a highly valuable commodity.
“The other factor is that with the Health Information Technology for Economic and Clinical Health (HITECH) Act amendment of the Health Insurance Portability and Accountability Act (HIPAA), the loss of healthcare data is now treated in much the same way as loss of any other personally identifiable information, so hospitals—and basically anyone who holds healthcare data—will be subject to the same rules as if they lost birth date or social security numbers.
“The forensics cost, the legal cost, the cost of sending out a notice and offering a remedy—all these expenses are now a factor when PHI is lost or mishandled,” he says.
The shift in focus has been driven by the HIPAA/HITECH Omnibus Final Rule, which has given the HIPAA privacy regulations teeth. For instance, if an impermissible use or disclosure of PHI occurs, the organization must now presume there has been a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised. This has significantly increased the number of breach notifications.
The issue gains added weight from the fact that if 500 or more records have been compromised there is now an obligation to notify the Office of Civil Rights (OCR).
“The OCR has taken a very active interest in following up on these notices to see if the organizations have network security and privacy plans in place , if they’re keeping them updated and if they’re responding appropriately in the event of a breach,” says Gow.
“The OCR is very busy—they’re looking at hundreds of these reported incidents a month, and they’re more actively leveling fines; the larger fines I’ve seen are in the millions of dollars so the OCR has certainly taken this issue and put it on the radar screens of the management of these healthcare organizations.”
Katherine Keefe, leader of Beazley Breach Response Services, agrees that the OCR has become very active recently.
“When there are breaches, especially large breaches, the OCR will come in and investigate and is starting to levy some very significant fines and penalties,” she says. “That has received the attention of healthcare executives who run health systems, health plans and physician groups in the US because there’s nothing more attention-grabbing than a million dollar fine.”
It’s not just the size of the fines that is driving interest in cyber cover, it’s also the sheer number of breaches taking place each day. According to Arturo Reyes-Perez, client executive and privacy liability specialist for Barney & Barney, the reason that cyber security risks are now ranked higher than natural disasters is that while cyber losses often rival the severity of large natural losses, they are also more frequent. Large institutions can experience millions of malware attacks a day and many succumb via mobile devices or social engineering. However, the most common causes of privacy breaches are theft and negligent loss of media.
“In the first six months of 2013, breaches of patient data have been reported by 255 healthcare facilities,” he says. “Compromised personal records stand at 6,207,297, probably totaling potentially insurable losses of $651,766,185.”
Despite the increased likelihood of payouts, insurers have been quick to move into the cyber market, keeping pace with the rising demand for cyber policies.
“I’ve got more capacity than I have demand—even while demand continues to increase,” says Parisi. “So as cyber risks increase, the insurance marketplace has developed products to respond to the risks. And cyber is certainly a hot topic. While we’ve got 10 or 12 carriers that have been around since 1999 and really staked a claim, since 2003 we’ve probably had more than a dozen enter the market—some successfully, some less so—trying to roll out a cyber-product for their client base and potential clients.”
Not all products offer the same type or level of protection. “We now have more than 20 insurers offering some kind of healthcare-specific privacy coverage,” says Reyes-Perez. “Nevertheless, not all forms are equal. Most of these products have serious deficiencies, and only a handful of insurers offer exceptional coverage.
“These forms can also be improved. We have created special programs that improve wordings and add, free of charge, hybrid risk management services and compliance tools. As a result, we help clients prevent, mitigate, and transfer risk.”
The ability to mitigate the risk is an important point. Rather than waiting for the inevitable to happen, organizations are keen for support that will help them understand the nature of the threat and fortify themselves against it. Keefe does a lot to help Beazley’s insureds with breach prevention and education.
“On the technical side we recommend that organizations conduct regular periodic security risk assessments,” she says. “That is something that’s required under the HIPAA security rule and those security assessments need to be documented because we’re finding that when the government comes in to investigates a breach—and they’re investigating more and more of them—they will ask for copies of the security risk assessment.”
While HIPAA does not specify a time frame for these assessments, Keefe recommends its being done on at least an annual basis.
“When there are technology changes, when the environment changes, there might be the need to conduct a security assessment on a more frequent basis than every year,” she adds. “New forms of malware become present; technology evolves. The IT professionals really need to pay attention to when and how often these assessments should be done.”
Michael Kanarellis, IT assurance senior manager for risk management and consulting firm Wolf & Company, agrees that thorough preparation is the best form of defense.
“I can’t emphasize it enough, it’s a matter of doing a proper risk assessment of your information technology environment, doing a threat analysis, looking at not only the risks that are out there but also making sure that you have first done a substantial inventory of all of your IT infrastructure—electronic PHI as well as your paper records,” he says. “This means you can identify where patient records truly exist within the network and then can take mitigating steps to reduce the risks of individual threats.”
Like Keefe, he believes the risk assessment needs to be about more than simply complying with HIPAA.
“It’s a requirement of HIPAA to do a risk assessment. In the past the government never really enforced HIPAA, and providers were able to simply brush it away. It’s a different world today.
“Because the government is beginning proactively to enforce HIPAA, providers are quickly learning they must go through those risk assessment exercises. It’s critical that the provider make sure it’s a useful exercise that will truly help secure their patients’ information. That is why we often tell our clients that once you do a risk assessment, that’s not the end of the process; it’s really looking at what you found then coming up with mitigating strategies and ultimately developing a true enterprise risk management process.”
data breaches, HIPAA, HITECH, PHI