Cyberattacks a Growing Threat for Healthcare

Because of the high value of medical records and healthcare databases to criminals, they pose ever more attractive targets. In fact, a number of reports have shown that cyberattacks are costing the healthcare industry billions of dollars annually, with a median loss of $150,000 per incident. Cybersecurity risks in healthcare have also drawn attention to the vulnerability of hospitals, clinics and other healthcare providers.

The infographic below, which is part of a series by Advisen and Hiscox, looks at:

  • The frequency of Health Insurance Portability and Accountability Act (HIPAA) violations over the past five years
  • The median loss in healthcare cyberattacks
  • The percentage increase of protected health information (PHI) losses between 2006 and 2011 for printed records, servers, laptops, desktop, website, portable data storage devices, and other sources.

It also examines which revenue groups suffered more PHI losses and the size of breaches that occurred more frequently.
cyber-hc1

The majority of losses involve printed records, which have increased to 45% since 2011 compared to 3% by email.
cyber-hc2

While some may think that the majority of breaches are large, in the past five years, almost 50% of breaches have been small, with fewer than 100 records lost.
cyber-hc3

After 3 Years of Increases, Total Cost of Risk Down 1%

Buyers of commercial insurance, who have seen relatively stable to slightly increasing rates over the past three years, reported paying 1% less to cover their total cost of risk than in 2013, according to the 2015 RIMS Benchmark Survey.

“The 2014 survey results reflect the overall stability of the U.S. property/casualty market. One notable driver is the increasing role of alternative capital in assisting reinsurers to deal with economic uncertainties. A related factor is the rising importance of predictive models among insurers, not only in the area of property, but also for cyber and casualty,” Jim Blinn, executive vice president and global product manager at Advisen, said in a statement.

Looking ahead to the second half of 2015, Blinn said commercial property/casualty insurers are beginning to see a softening market. “We are looking at a period of rate decreases in insurance premiums owing to rising competition in the market and more than enough available capacity.”

The survey, which encompasses industry data for more than 52,000 insurance programs from over 1,400 organizations, found that risk managers and underwriters have identified climate change as one of this decade’s defining issues. “It continues to be a cause of concern among companies and organizations as evidence linking it to flood and other natural disasters continue to mount. Already, regulators such as the U.S. Environmental Protection Agency (EPA) are sounding the alarm for the high economic cost of climate change,” according to the study.

Key findings in 2015 include:

  • Slight decrease in TCOR following three years of increases.
  • Average TCOR fell 1% from $10.90 per $1,000 of revenue in 2013 to $10.80 in 2014.
  • Management liability, workers compensation, liability, and property costs declined.
  • Risk management administration costs dropped 5% as costs for both outside services and risk management departments declined.

Tom Ridge Tells Cyber Conference Insurance Should Incentivize Risk and Resilience Planning

tom ridge advisen cyber risk conference

More Americans worry about being hacked than they are of mugging, burglary, sexual assault, murder, or physical harm of a child, according to a new Gallup poll. While hacking concerns did increase with household income, they impacted a majority of Americans in every income and age bracket, while no other form of violent crime surpassed 45% of those polled.

A new survey from Advisen and Zurich found that this fear is nearly universal for companies as well. Across industries, 88% of businesses view cyber as at least a moderate risk – up to 93% among larger businesses and 81% among small. Despite this widespread recognition, however, fewer businesses have a breach response in place than just a year ago. In 2014, only 62% have a response place – a 10% decrease from 2013. Yet 66% now use cloud services, presenting a 20% jump from last year.

“Clearly, security concerns are being outweighed by the benefits of technology,” said Erica Davis, Zurich vice president and assistant national manager for E&O, while presenting the findings on Tuesday at Advisen’s Cyber Risk Insights Conference.

Throughout the conference, consensus was clear: the 69% of Americans and 88% of businesses are on the right track, as their fears are well-founded. “There are two types of banks today: those that have been breached, and those that will,” Roc Starks, senior vice president and director of corporate insurance at Citizens Bank, said at one of the day’s panels. “First response is the critical difference in how banks and customers will fare.”

Keynote speaker and former Director of Homeland Security Tom Ridge (now of Ridge Insurance Solutions) shared this outlook on cybersecurity across industries. “There are going to be breaches,” he said. “Resilient companies are the ones that are prepared to respond.”

Yet breach response without risk management and an eye toward mitigation is no longer sufficient. “Those prepared to organize around risk and resilience are those that will withstand and lead,” he added. “By the time we get here next year, the risks will be different – the digital sun will never set.”

The landscape of cyberrisk and hacking schemes is constantly evolving, and changing at a scale and speed unlike anything seen before, Ridge said. For attendees, there was little doubt about this insight, as panelists throughout the day detailed new phishing schemes seen, top areas of emerging vulnerability, and the myriad breaches they or their industry colleagues have navigated. More companies are investigating the most useful forms of coverage for their unique exposures and exploring what management structures and risk owners are most effective to monitor and mitigate cyber. The recognition is there, and so are some of the solutions, but the insurance landscape must still evolve, as must the strategies. “We’ve seen a mind-shift,” Ridge said. “CEOs get it, but they do not know what to do and who the threats come from.”

To that end, there is more the industry can do to help. Ridge lauded the idea of “intelligent insurance,” arguing that, in addition to devoting greater resources to investigating cyber threats, the insurance industry should turn its attention to incentivizing companies to manage cyberrisk more effectively.

Much as in insurance disciplines like kidnap and ransom, some of the greatest benefits of insuring cyberrisk may come from the processes of evaluation and contingency planning. According to Ridge and other conference speakers, finding out how to oversee and incentivize those processes may be the next adaptation for cybersecurity insurers.

Cyber Risk a Top Concern for C-Suites

NEW YORK—Risk managers no longer have a problem getting the attention of their company board and executives when it comes to cyber issues, according to panelists at the Advisen Cyber Risk Insights conference yesterday.

At Royal Ahold N.V., in fact, a supervisory board “insists on an annual presentation on the insurance policies,” which include cyber, said Nicholas Parillo, vice president of global insurance for the company. Giving his annual presentation to the board is made much easier, because “the person before me is the chief security officer and before that, the CIO and it’s good to know that they are saying the same things I’m saying. That’s the level this kind of risk has achieved within major corporations.”

In the U.S., Ahold owns about 2,000 supermarkets—780 in the northeast, including Stop ‘n Shop and Giant Food Markets and 300 pharmacies, Parillo said. The company, which has annual revenue of $42 billion, also owns a number of chains throughout Europe.

Parillo noted that Ahold’s chief concern is the large amount of customer data needed for its goal of major online sales growth.

“Our CEO a couple of years ago established a goal of increasing our online sales from $400 million annually to $1.5 billion,” he said. “We should hit that target in the next two years or sooner. One of our big concerns in this area is fast growth in ecommerce,” and also that “good governance surrounds” that growth.

The company purchased its first cyber security insurance policy in 2007, he said, an action that was hastened by “two watershed events in retail business,” the Hannaford Bros. Co. privacy violation and the TJ Maxx case. Both of these have run into the “hundreds of millions of dollars now with a significant amount of legal fees associated,” he said, adding, “These events made my job a lot easier in terms of going to my management and saying that this could happen to us, despite the biggest and the brightest in our IT group.”

Jimmy Kirtland, vice president, corporate risk management with ING said that in the past, “trying to convince your CFO and CEO and general counsel that there really was [cyber] exposure,” was an issue. He explained that 10 or 15 years ago, “Even if you were going to look at cyber coverage you had only three brokers you could go to.”

Since then, “There has been a complete turnaround in 10 years. The market has grown tremendously and so have the brokers and it’s become much more sophisticated, which we appreciate. The C-suite has recognized that this is something that has to be looked at,” he said.

Dutch-based ING is restructuring, separating its banking and insurance operations. ING U.S. plans to rebrand as Voya Financial, a retirement, investment and insurance company, according to the company’s website. “In our case, one of the biggest concerns we had was that because of the split with our parent company, we had very little time to place our financial lines products, including cyber. So the concern is to get it right.”

The company filed an IPO in May, “and yesterday we announced we would have a secondary offering. When you don’t have the umbrella of a major global corporation anymore, you become keen on your risks and exposures,” Kirtland said.

What happens if technology fails at the company? “With us it really is out in the cloud,” Kirtland said. “Classic business insurance reimburses you for supply chain problems or if a warehouse burns down, so it’s an extra expense we have to worry about.”

To be able to stay in business in case of a technology failure, or in the case of “a system-wide blowout, we went with a time-limited type of retention. It’s a set amount based on the time you are out,” he explained.