Webinar: Top Cyber Insurance Myths Debunked

Today, Lindsey Nelson, International Cyber Team Leader at CFC, held a webinar on debunking the top six cyber myths.

We explored common cyber insurance misunderstandings and objections we hear from clients, and how to overcome them.

We also have a handy article you can download here.

UPCOMING CYBER WEBINARS:

UK | Cyber Claims Case Study: Backup Breakdown – Engineering Firm’s Files Wiped Out By Ransomware | 11am BST, Wednesday 29 August

Canada | Cyber Claims Case Study: Backup Breakdown – Engineering Firm’s Files Wiped Out By Ransomware | 12pm EDT, Wednesday 29 August

Australia | WannaCry & NotPetya: Impact on Australian SMEs | 5pm AEST, Tuesday 4 September

UK | WannaCry & NotPetya: Impact on UK SMEs | 2:30pm BST, Tuesday 4 September

More to be added soon…

 

THE TOP 6 CYBER INSURANCE MYTHS DEBUNKED

Cyber is one of the hottest topics in insurance and, as a line of business, it’s projected to experience phenomenal growth in the years ahead. But cyber is still a relatively new market, and can be made unnecessarily complex by industry jargon, buzzwords of the day, and a lack of standardization in policy wordings. As such, many companies find themselves confused about how cyber insurance actually works and are skeptical about whether it makes sense for their business to purchase a policy.

To clear up the confusion, here are six of the most common misunderstandings that businesses tend to have about cyber insurance and how to overcome them.

 

Did you know we’re also running a webinar on this topic? You can sign up here!

 

MYTH 1 “WE DON’T NEED CYBER INSURANCE. WE INVEST IN IT SECURITY…”

The short answer:
No matter how much a company invests in IT security, they will never be 100% secure. The purpose of an insurance policy is to respond in the event that the worst happens.

 

MYTH 2 “WE OUTSOURCE ALL OF OUR IT, SO WE DON’T HAVE AN EXPOSURE…”

The short answer:
Even if you outsource your IT, the chances are you’re still liable. Assuming you’ll be successful in claiming back damages from a third-party is a risky gamble.

 

MYTH 3 “WE DON’T COLLECT ANY SENSITIVE DATA, SO WE DON’T NEED CYBER INSURANCE…”

The short answer:
Any business that relies on a computer system to operate, whether for business critical activities or simply electronic banking, has a very real cyber exposure.

 

MYTH 4 “CYBER ATTACKS ONLY AFFECT BIG BUSINESS. WE’RE TOO SMALL TO BE A TARGET…”

The short answer:
Cyber criminals target the most vulnerable companies, not just the most valuable.

 

MYTH 5 “CYBER IS ALREADY COVERED BY OTHER LINES OF INSURANCE…”

The short answer:
Some overlaps exist (as they do with all lines of insurance) but traditional insurance policies lack the depth and breadth of standalone cyber cover, and won’t come with experienced cyber claims and incident response capabilities.

 

MYTH 6 “CYBER INSURANCE DOESN’T PAY OUT…”

The short answer:
The number of cyber claims continues to rise, in terms of both frequency and severity, and insurers are paying them.

 

You can download the full article here.

 

Webinar: IP Insurance Explained

Today, Erik Alsegård, Intellectual Property Practice Leader at CFC, held an introductory webinar on IP insurance. 

In the modern competitive economy intellectual property has become a key asset to most companies. It’s no surprise that the stakes are often high when someone alleges that another company infringes on their patent, trademark, copyright or other intellectual property rights.

You can watch the webinar here and download the slides here.

Keep your eyes peeled for more IP webinars coming soon!

Webinar Registration: Top Cyber Insurance Myths Debunked

Cyber is one of the hottest topics in insurance, but can be made unnecessarily complex by industry jargon and a lack of standardization in policy wordings. It’s no surprise that many businesses find themselves confused about how cyber insurance actually works and skeptical about whether they actually need it.

Join Lindsey Nelson, International Cyber Team leader at CFC, as she discusses the top six cyber insurance misunderstandings and objections we hear from clients and how to overcome them.

Sign up for the session in your time zone today!

UK | 2pm BST | Wednesday 15th August

Australia | 5pm AEST  | Wednesday 15th August

Canada | 2pm EDT  | Wednesday 15th August

CYBER CLAIMS CASE STUDY: QUICK FIX COMPLICATION

This month’s cyber claims case study is “Quick Fix Complication.” This tells the story of a US-based healthcare service provider that fell victim to a ransomware attack.

Thanks to CFC’s in-house incident response team, the healthcare service provider managed to avoid a costly notification to their entire patient population and the consequential reputational harm that may have arisen from such a notification.

The key takeaway points are as follows:

  • It is essential that when a ransomware attack or any other cyber event occurs, policyholders should engage their cyber insurance provider as soon as possible. By doing so, a co-ordinated response to the event can be devised and any evidence that may become crucial later on can be preserved from the outset.
  • The cyber insurance market is becoming increasingly competitive, with new carriers regularly entering the market. Businesses should be aware, however, that not all insurers are alike, and the skills and expertise that a well-established, experienced cyber insurer can bring can make a big difference, especially when making a claim.
  • By having our in-house incident response team with specialist knowledge of cyber security and forensics, we were able to prevent the policyholder’s claim costs from escalating and ensured that the organisation’s reputation didn’t suffer unnecessarily. If they had been with a less experienced cyber insurer without a dedicated in-house incident response team, they may have gone ahead with the breach notification process.

You can download the case study here.

Webinar: Beyond the Breach

Yesterday James Burns, Cyber Product Leader at CFC, held a webinar focusing on one of our cyber claims case studies.

We took a deep dive into Beyond the Breach – Hospital Faces Huge Operational Disruption which details a malware attack that left a small hospital reeling and how our policy helped get the hospital operational again.

You can watch the webinar here and download the slides here.

Keep your eyes peeled for more cyber webinars coming soon!

 

Cyber Insurance Guide

As we become increasingly reliant on technology, the potential impact of cyber-related incidents continues to grow. Yet the cyber insurance market is relatively new in comparison with other lines of cover.

This straightforward guide explains how cyber risk and insurance has evolved and how a good cyber policy addresses these modern exposures.

“Cyber” is one of the most talked about topics in business, insurance and media but also seems to be one of the most misunderstood. And with good reason – it is an area associated with jargon, buzz words and what feels like a whole lot of complexity.

This is largely down to the fact that the development of cyber insurance has historically focused primarily on third party privacy exposures. At the same time, traditional insurance policies have tried, but rarely succeeded, at addressing cyber risks; this has left clients believing many exposures are covered when they actually aren’t.

So what should we mean when we talk about cyber risk? What do clients need to protect  themselves against? The real answer is crime. Technology has revolutionised the world for businesses and individuals alike and the past twenty years in particular have seen monumental shifts in human behaviour directly linked to technological advancements. From the way we shop to the way we access bank accounts and book holidays, everyday life has changed fundamentally.

However, while the technology revolution has brought with it unparalleled levels of convenience and choice to millions of people across the globe, it has done the same for the criminal underworld. It is now far easier and far more lucrative for criminals to ply their trade digitally rather than physically. Cyberattacks are the modern crime and cyber insurance is the way to protect against them.

Download and read the full guide here.

Healthcare in Transit

As the elderly population in the US continues to grow, so too does the necessity for non-emergency medical transportation services to cater to this demographic in both urban and rural areas nationwide. The transportation services provided by these companies are vital to the accessibility of routine healthcare services and survival of patients who otherwise would not be able to make it to routine medical appointments. Some of these potential barriers may include a lack of mass transit options and significant distances to their providers. In addition, a patient’s physical disabilities and/or financial circumstances can also further complicate access to these services.

The rising need for these services can be felt even more palpably in rural areas as these geographic regions statistically contain a larger portion of elderly inhabitants than do urban areas where providers are located at significantly closer distances. Further to this point, the geographic isolation of patients residing in rural areas typically carry with them the burden of more chronic health conditions, poverty and consequently, poor health outcomes.

To highlight this point, studies have uncovered that nearly four million Americans have experienced some type of transportation complications which have led to them missing scheduled appointments. This also levies a devastating blow to healthcare providers as no-show rates, in some instances higher than 30% have cost providers more than $150 billion per year.

The impact of patients’ inaccessibility to affordable and convenient transportation services has not gone unnoticed by the Tech industry, however, as we have recently seen on-demand transportation app giants Lyft and Uber make their entrance into the healthcare field. Lyft, working in conjunction with the healthcare information exchange platform Allscripts have partnered to integrate “ride-hailing functionality” into AllScripts database platform which will allow for nearly 200,000 providers to request transportation services for their patients through the Lyft application. Similarly, Uber has recently launched Uber Health which deploys a comparable ride-hailing functionality for the patients of its partner healthcare systems, most notably MedStar and LifeBridge.

Uber and Lyft’s presence in healthcare transportation may well prove to be an effective remedy to an ailing community of patients who otherwise would have less accessibility to healthcare appointments and quality outcomes. However, this does not come without the gleaming risk exposure that current and longstanding emergency and non-emergency medical transportation services are faced with on each and every patient transport. Perhaps the most prevalent source of claims faced by these companies are the result of injuries sustained by patients during the loading and unloading phases of the transport. As many of the patients requiring these services have significant physical limitations, this puts the onus on the company to ensure that all employees have been properly trained to perform these tasks. Other sources of claims in this class which may lead to a sustained bodily injury by the patient(s) in transit include but are not limited to collisions with other vehicles or objects, failing to secure or improperly securing a patient to their seat, failing to properly secure wheelchair bound patients, the improper use of chair lifts and potentially leaving patients in extreme or unsafe conditions unattended.

With these risk factors in mind, it will be the responsibility of tech companies like Lyft and Uber and surely many others who follow suit to ensure that they are employing competent, well-trained and vetted employees who are only providing transportation services to patients which are in line with the safety installations of the vehicle they are operating, such as four-point tie downs for wheel chair and stretcher bound patients.

Overall, this industry class will only continue to be relied upon as a necessity in the years to come and it is primarily important for providers in this space to hold its employees to the highest standards of training and risk mitigation. Non-emergency transit appointments have the potential to quickly escalate into emergency transports due to an unexpected change in the patient’s condition along the way which, if not properly handled, can lead to a delay in services that may subsequently lead to a loss of life. It is also crucial for insurance brokers who will be placing coverage for non-emergency medical transit companies to fully understand the risk exposure presented by these companies and ensure that the carrier will not be excluding claims for some of the fundamental services provided, such as loading and unloading.

California Consumer Privacy Act of 2018

At the end of June, California state legislators passed the California Consumer Privacy Act of 2018. Coming in to effect on January 1st 2020, the act is set to bring in a number of data protection requirements and new consumer rights similar to those enacted by the EU’s General Data Protection Regulation.

However, amid all the noise about the bill’s passing, one crucial area of the act appears to have been given surprisingly little attention – California has established a minimum cash amount that victims of a data breach could expect to receive should they pursue damages.

The act stipulates that for consumers whose unencrypted or unredacted personal information has been subject to unauthorised access, exfiltration, theft or disclosure, as a result of a business’s failure to implement and maintain adequate security standards, will be able to claim damages of $100 as a minimum and $750 as a maximum per incident or actual damages, whichever is greater.

The law will apply to organisations that are run for profit and do business in California and that meets one or more of the following thresholds:

  • Annual gross revenues in excess of $25 million;
  • Annually buy, sell or share the personal information of 50,000 or more consumers, households or devices;
  • Generate 50% or more of annual revenues from the selling of consumers’ personal information.

This particular part of the act marks a change of fundamental importance for a number of reasons. First, it will almost certainly increase the financial exposure that businesses face as a result of a data breach. Now, even a relatively small breach of, say, 1,000 records could result in statutory damages of $100,000-$750,000 being claimed.

Secondly, it is likely to lead to a big uptick in class action cases in general. To date, claimants in data breach class actions have often struggled to demonstrate standing as it can be difficult to prove what, if any, financial harm might be experienced as a consequence of a breach. For smaller breaches, this has meant less impetus on the part of plaintiff attorneys to bring class actions.

But with the law now enshrining minimum statutory damages for certain data breaches and with affected consumers knowing that they might stand to receive up to $750, we could see a proliferation of class action cases when the act comes into force from opportunistic lawyers looking to get involved in lucrative cases. Importantly, this could lead to a surge in class actions resulting from smaller breaches in particular.

Finally, the act sets a precedent. Back in 2003, California was the first state to introduce breach notification laws. Now, just 15 years later, every state in the union has implemented such laws. Could this act mark the beginning of minimum statutory damages being introduced elsewhere? If history is anything to go by, it shouldn’t come as a surprise if similar acts become more widespread.

For more further Information:

Insurance and the digital health revolution

Timothy Boyce, US Healthcare Team Leader, CFC

Healthcare is about to change beyond recognition. A host of technologies are uniting to transform the way we treat patients and develop cures – from artificial intelligence to remote patient monitoring and interactive telemedicine services.

 

According to Rock Health, $1.6bn of funding flowed into the eHealth sector during the first quarter of 2018, exceeding comparable investment marks for the previous two years. The principle driver, deregulation. In the last twelve months we’ve seen the formation of the Chronic Care Act, which will pave the way for greater use of technology in healthcare, and the VETS Act which allows providers to treat veterans across state lines using telehealth. The next segment will be the Opioid Crisis Act, which promises to put an end to a crisis with the assistance of telemedicine, digital pills and analytics tools.

 

The FDA have also played a key role in the rise of digital healthcare. In their budget for 2019, Scott Gottlieb cited that ‘we’re seeking to advance a new paradigm in the regulation of digital health technology that I believe will allow us to grow this promising field more quickly’. This of course was in reference to their Pre-Cert Pilot Program, which will aim to look at the software and/or digital health technology developer, rather than primarily at the traditional medical product/device. Since then they’ve also approved a ‘trackable’ pill which is linked to a patch and a smartphone to detect medication compliance.

 

We’ve even seen 450,000 women in England who were not invited for a routine breast cancer screening because of a ‘computer error’.

 

As the healthcare and technology sectors continue to intertwine, practitioners and companies operating in the digital health space will start to experience a wider range of risks. From misdiagnosis of medical conditions due to the distortion of x-ray images sent using store-and-forward technology, to incorrect readings of glucose monitors leading to patient harm. We’ve even seen 450,000 women in England who were not invited for a routine breast cancer screening because of a ‘computer error’. The risks are present, real and getting harder to predict. A recent study cited that the FDA reported receiving information on 260 incidents with potential for patient harm, including 44 injuries and six deaths, all arising from technology-related healthcare incidents. It was also reported that almost 25% of 176,409 medication errors notified to US Pharmacopeia were technology-related.

 

So what does this mean for the insurability of practitioners and companies operating in eHealth? Well, in short it becomes problematic. Medical malpractice insurers are rightly concerned about the potential for patient harm arising from technology-related errors, not to mention the lack of credible data to nullify their concerns for it eroding their profit margin. As a result, their policy triggers have stayed eye-wateringly static despite the global rise of technology within healthcare. Technology E&O insurers will only extend to losses arising from ‘technology activities’ and are loathe to offer any form of bodily injury whether it’s on a primary or contingent basis, and cyber insurers, quite simply, explicitly exclude all forms of bodily injury.

 

A dearth of affirmative coverage is therefore present in the insurance industry for traditional healthcare providers and digital health companies alike. This has already and will continue to lead to grey areas being present within insurance placements. The knock-on effect of this will be finger-pointing between three or more insurers over the proximate causation of the loss: was it a healthcare incident, technology error or cyber event? Absent any case law, and despite the litany of disclaimers, clients will then subsequently be required to pay three different deductibles and may even run the risk of having no coverage whatsoever. The debate will then intensify about who makes the ultimate decision on patient care, the technology or the traditional healthcare provider?

 

With these sentiments in mind, the insurance industry is on the cusp of a more modernized approach for healthcare providers. As the shift in healthcare delivery continues, it will become increasingly crucial for agents and wholesale brokers to advise their clients of these potential pitfalls in standard insurance policies, and to source bespoke insurance products tailored to meet clients’ refreshed needs and demands.

 

If you would like to download, print or share this article, you can do so here.