Vitalii Gulenok/istock via Getty

Navigating cyber insurance coverage as threats evolve

The evolving cyberthreat landscape makes cyber insurance coverage decisions difficult for underwriters and healthcare organizations alike.

Cybersecurity, or cyber liability, insurance coverage can help shield healthcare organizations from a substantial portion of the costs associated with cyberattacks and data breaches. Cyber insurance policies are especially valuable given the surging costs of healthcare data breaches, which average $9.77 million per incident, according to IBM.

However, retaining a cyber insurance policy and keeping premiums and rates down has been a challenge for healthcare and other sectors that are heavily targeted by cyberthreat actors, as the threat landscape and risk profiles are constantly changing.

After years of rising premiums, year-over-year cyber insurance premium growth in the U.S. reported to the National Association of Insurance Commissioners plateaued in 2023, according to Aon. However, 79% of respondents to a 2023 Delinea survey said that they saw overall insurance costs increase, with 67% facing increases of 50% to 100%.

As cyber insurance costs remain variable, experts say a surge of high-profile healthcare cyberattacks and an ever-evolving threat landscape can make navigating the cyber insurance world even more challenging for healthcare organizations.

What's more, claims from the past several months are still being processed, making it difficult to determine how underwriters will react to recent changes in cyberthreat activity.

Evolving threat landscape translates to cyber insurance changes

Finding a cyber insurance carrier and obtaining the right level of coverage amid rising cyber tension is a challenge considering today's cyberthreat landscape and the volatile nature of cyber risk compared to other risk types.

"The problem with cyber insurance, underwriting and risk adjustments is that fires for fire insurance, for example, are not trying to figure out better ways to burn you," said Christopher Henderson, senior director of threat operations at cybersecurity company Huntress, in an interview with TechTarget Editorial.

"Whereas you look at cyber insurance, you are insuring a risk that is actively trying to circumvent the controls that the risk adjusters are using in order to determine your premium rates and your risk level. And so as soon as that underwriting is complete, it's basically out of date already."

Henderson pointed to the shifts in the threat landscape as a core driver of changes within cyber insurance questionnaires, which are typically submitted to an insurance company to provide documentation of security activities and determine coverage and premiums.

"What we saw last year was most of the models asking what remote access tools you have within your environment," Henderson said. "They were asking about your vulnerability management posture. They were asking how many admins you have and how many things they have access to."

The threats and mitigation strategies of the past are still very important. You shouldn't just go chase the most recent attack.
Christopher HendersonSenior director of threat operations, Huntress

The increased focus on these controls aligned with 2023 trends in the cyberthreat landscape, including an uptick in ransomware groups exploiting vulnerabilities in legitimate remote management software tools.

In 2024, those trends shifted. For example, for healthcare, the Change Healthcare cyberattack put a spotlight on the value of multifactor authentication (MFA). Additionally, an IT help desk social engineering scheme highlighted the risk of identity-based attacks.

In light of several high-profile cyberattacks and the continued use of effective tactics like phishing, Henderson said he has seen cyber insurance questionnaires asking about things like help desk verification procedures as of late. Henderson added that while these risks evolve, cyberthreat actors have not forgotten about their tried-and-true attack methods either. Rather, they add new tactics to their skill sets over time.

"I very much could see a world where cyber insurance, unlike other policies, move to a six-month period of insuring maybe even quarterly-based underwriting where they're really trying to keep up to date with attack and tradecraft at a more timely basis," Henderson predicted.

Ways to mitigate risk, keep cyber insurance costs manageable

Many factors go into determining cyber insurance pricing, including annual revenue and the size of the organization seeking coverage. Organizations often must submit the results of a security audit to determine coverage as well. There are several actions organizations can take to better understand their own security posture.

Henderson recommended that organizations undergo a SOC 2 audit or adopt the ISO 27001 standard to attest to how well the organization is adhering to the controls set forth during the underwriting process.

Additionally, surveyed healthcare organizations that used the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) as their primary security framework saw lower cyber insurance premium increases compared to those that had not adopted the NIST CSF, a 2024 benchmarking report by KLAS Research, Censinet, the American Hospital Association and the Healthcare and Public Health Sector Coordinating Council found.

"The threats and mitigation strategies of the past are still very important. You shouldn't just go chase the most recent attack," Henderson added.

"It's important to keep doing what we have been doing, but as we see a shift to these more identity-based and social engineering attacks, really ensuring that you have auditable provable procedures around identity verification and mandatory MFA on everything."

Even with high upfront costs, cyber insurance coverage can save organizations money in the event of a cybersecurity incident, such as a ransomware attack. For example, a 2024 report from Sophos indicated that average overall ransomware recovery costs were $2.94 million for organizations with a standalone cyber insurance policy, compared to $3.48 million for those with no cyber insurance coverage.

Navigating the cyber insurance marketplace can be challenging for a highly targeted sector like healthcare, but careful consideration of risks can help organizations obtain the right policy.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.

Next Steps

Breaking down New York's hospital cybersecurity regulations

Dig Deeper on Cybersecurity strategies