Pandemic and Cyber Insurance

COVID-19 Pandemic Highlights Importance of Cyber Insurance

By Kathleen Sellers, JD, CLU©
Vice President, Charles J. Sellers & Co., Inc.

In addition to all the other challenges that businesses continue to face in 2022, cyber crime has been increasing, as cyber criminals have exploited vulnerabilities created by the COVID-19 pandemic.  The pandemic changed how many businesses, including professional practices, do business.  More people are working from home, using home networks and sometimes personal devices, which tend to be less secure than dedicated office networks and equipment.  We are all increasingly reliant on online communication tools, with people working from different locations and some face-to-face interactions limited.  The use of telehealth services has grown exponentially since the pandemic started.  All of these changes – resulting in more business taking place online -- translate into new opportunities for bad cyber actors.

A common cyber threat that businesses face is ransomware attacks, which are increasing in number and severity.  In a ransomware attack, a cybercriminal introduces malicious software that blocks access to a computer system and demands a ransom for unblocking it.  According to an insurance industry study, ransomware attacks grew by nearly 50 percent in the second quarter of 2020 (after the pandemic began) as compared to the first quarter.[1]  The amount of ransom demanded is increasing, as is the average length of time it takes for a business to restore its systems and resume operations. 

Healthcare businesses are a particular target.  In October 2020, a Joint Cybersecurity Advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) titled “Ransomware Activity Targeting the Healthcare and Public Health Sector.”[2]  The advisory alerted the healthcare sector to “tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health Sector (HPH) to infect systems with ransomware, notably Ryuk and Conti, for financial gain.”  While ransomware attacks against large hospital systems, health insurers, and public health entities grab headlines, medical practices of all sizes are at risk as well.

There are many steps that a business can take to improve its security, including stepping up employee training, hardening IT defenses, and implementing security patches on a timely basis.  It’s also an important time to purchase cyber insurance, if it isn’t already in place, and to review cyber coverage, if it is.  (In a recent survey by Travelers Insurance, 51% of businesses surveyed reported having purchased a cyber insurance policy.[3])  Cyber insurance packages together a broad range of coverages, including:

• Coverage for business interruption losses arising from a computer network outage
• Cyber crime coverage, covering losses from social engineering, phishing, and other types of financial fraud
• Cyber extortion and ransomware coverage, including coverage for payment of a ransom demand
• Coverage for third party claims alleging legal liability for damages related to a cyber event
• Breach response and remediation expenses, including the cost to notify individuals affected by a breach, along with IT and attorney costs incurred to investigate and remediate a breach

The terms of cyber insurance policies can vary, so it’s important to consult with an agent or broker who’s knowledgeable about the coverage, and who can help you select coverages and limits that properly address the risks that a particular business faces.  Most cyber insurance policies also provide pre-loss mitigation services, to help avoid or mitigate a cyber event, at no or reduced cost, such as employee training or identification of network vulnerabilities.  In addition to reviewing the types of coverage offered, it’s important to review coverage limits in light of the business’s particular circumstances.

Cyber insurance, which has become increasingly important in recent years, is now more critical to have than ever.  All businesses, and healthcare businesses in particular, need to review their cyber insurance coverage, so that if a cyber incident occurs, the right resources are available to restore operations and minimize financial loss.