Change Healthcare Hack: Everything You Need To Know
Change Healthcare experienced a ransomware attack with unprecedented fallout. What happened, and what have we learned?
![[LOGO] Corvus Insurance](https://www.corvusinsurance.com/hubfs/Corvus_Logo_Horizontal(R)%20(4).svg "[LOGO] Corvus Insurance"){kind=logo}
When cybersecurity (tech-oriented) and insurance (complicated) meet, there’s bound to be some misconceptions. The mixing of two worlds invites some confusion, so we’re welcoming you to our judgment-free zone. We’ll get straight to the point by debunking some common myths we’ve seen or heard first-hand circulating about cyber insurance.
What Are the Top Five Cyber Insurance Myths?
Myth #1: “I only need to implement the security measures required by my carrier and I’m safe.”
TL;DR: Your carrier probably will require you to implement common security controls at the minimum. But in cybersecurity, the work is never done.
For organizations that haven’t experienced a cyber threat before, there’s often a false sense of security about how safe their systems actually are. If the worst-case scenario hasn’t happened yet, they must be doing something right — right? But as the rates of ransomware skyrocketed, carriers realized certain security blind spots should be addressed right away, based on patterns in their books of business. Underwriters have started requiring more information from organizations looking to acquire coverage, specifically regarding ransomware loss controls and IT risk management. These include multi-factor authentication, endpoint detection response, and robust backups.
![[BLOG] Talk the Talk - Cyber Insurance Terminology Guide](https://www.corvusinsurance.com/hubfs/Blog%20CTAs/Talk%20the%20Talk%20-%20%20Cyber%20Insurance%20Terminology%20Guide/%5BBLOG%5D%20Talk%20the%20Talk%20-%20%20Cyber%20Insurance%20Terminology%20Guide.svg)
However, insurers need to locate a balance between requiring measures that will impact safety for policyholders and making it feasible for a typical organization to meet those requirements in a reasonable time frame and cost. That means the most intensive, cutting-edge security practices or tools aren't likely to be required, although your insurer may recommend them strongly. Our advice: Follow as many of your insurer's recommendations as you can — even if they go beyond what is strictly required for your policy.
Myth #2: “I don't need a separate cyber insurance policy.”
TL;DR: Add-ons aren't cutting it alone anymore.
For many small and medium-sized businesses, the thought of investing in a separate cyber policy has felt unnecessary, but the tides are turning. Tracing back to the early days of cyber insurance — before ransomware headlines were an almost weekly occurrence — a cyber liability endorsement to a BOP felt like adequate coverage for SMEs.
But general liability policies aren’t built to properly cover the risk of modern-day cyber threats, such as ransomware, social engineering, and other cyber crimes. Dedicated cyber insurance provides extensive coverages for first-and-third party costs, where many endorsements fall short. Most BOP cyber add-ons do not cover first-party costs, things such as notifying customers in the event of a data breach, forensic investigations, or in worst-case scenarios, ransom payouts. This leaves your business paying out of pocket for your own recovery efforts.
Myth #3: "Small businesses are safe from cyber threats."
TL;DR: Small businesses are often easy targets for threat actors.
The best target is one that’s easy, like a car left unlocked. For a cyber criminal, it’s not necessarily about finding the most profitable victim, but one that offers a combination of ease of access, high likelihood of success, and potential payout. Small businesses who have less money to invest in their cyber hygiene are a seemingly painless win for cybercriminals. According to Cloud Security provider Barracuda, the average employee of a small business (100 employees or less) experiences 350% more social engineering attempts than an employee of a larger company.
Just 5% of small business owners cited cybersecurity as the biggest risk to their business right now. Meanwhile, larger corporations report cyber incidents as a leading concern, according to the Allianz Risk Barometer. The first line of defense is ensuring your security measures are up to par — and investing in cyber insurance is a good place to start. Many carriers will work hands-on with you, out of a mutual interest, to protect you from ever needing to file a claim.
![[BLOG] Small Businesses - How to Improve Your Security on a Budget](https://www.corvusinsurance.com/hubfs/Blog%20CTAs/Small%20Businesses%20-%20How%20to%20Improve%20Your%20Security%20on%20a%20Budget/%5BBLOG%5D%20Small%20Businesses%20-%20How%20to%20Improve%20Your%20Security%20on%20a%20Budget.svg)
Myth #4: “Okay, I’ll get cyber insurance. And then I’m completely covered.”
TL;DR: You have to read all the fine print of the policy, especially in a hard market.
Truth: A cyber insurance policy will protect a business against the impact of cyber threats. A more specific truth? Not all policies are created equal. Especially as carriers try to counteract the losses due to the rise of ransomware, reading the fine print has never been more important. The main thing to watch for is the increased use of coinsurance and sub-limits in cyber policies. Expect to find sub-limits alongside coverages that pair with the most frequent and costly claims. Namely ransomware and cyber extortion, but social engineering, business interruption, and less popular add-ons are being met with tighter limits.
Brokers and agents can tell you about specific (and confusing) policy form language, covering waiting periods, retention structure, and various forms of social engineering. Having great controls in place or spending more in premium can help clients combat the rise in sub-limits, but be mindful of any carriers who are implementing strict coinsurance clauses as knee-jerk reactions to specific cyber incidents.
Myth #5: "All my data is outsourced to the cloud. My third-party provider would be liable if there’s a breach.”
TL;DR: You're still responsible for the care of that data.
Legally, regulatory bodies will hold the owner of the data (you, in this scenario) responsible, not the data holder or data processor. Since your customer or client has entrusted their data with you, you are responsible for what happens to it. If your third-party provider experiences a breach, you’ll need to directly communicate with your client. Your cyber insurer can be of huge assistance here to subrogate on your behalf, dealing directly with your vendor and paying the associated upfront costs.
This is also a good time to evaluate your vendor relationships and consider establishing a third-party vendor management policy. In the event that a breach does occur with one of your vendors and your client’s data is at risk, you’ll know exactly how to handle it. Your employees will know the next steps, who to call, and (emphasis from us!) when to inform your cyber insurer.