Chicago-based CommonSpirit is still waiting to hear back on its insurance claim for an October 2022 ransomware attack, but the hospital chain said disruption of some facilities and "significantly" hampered billing and collection activities contributed to a $1.4 billion operating loss for the year.
It is increasingly important for healthcare entities to carefully examine their cyber and other insurance policies to see what risks are covered in the event of a cyber incident, especially as the threat landscape continues to evolve, said attorney Peter Halprin, a partner at law firm Pasich LLP.
In the latest weekly update, ISMG editors discuss the shifting dynamics of cyber insurance, why APAC is approaching privacy regulations around emerging technologies, and how U.S. authorities charged the co-founders of cryptocurrency mixer Tornado Cash with money laundering.
The cyber insurance landscape has evolved significantly over the last 10 to 15 years. Initially, renewals were relatively straightforward, but with the rise of cyberthreats such as ransomware, the market has shifted dramatically to reduce risk exposure.
Fears that cyber insurance coverage drives companies into paying ransomware demands more easily than not appear unfounded, concludes a British think tank study that also suggests insurers should do more to enact corporate discipline. Cyber insurance has been dogged by accusations of moral hazard.
Cyber insurance companies gather a lot of information on the cost of breaches, but security organizations need to know the bigger picture. Jack Jones, chairman of the FAIR Institute, discussed identifying risk and evaluating overall costs with the FAIR model.
"Insurance is a tool," said Libby Benet, the global chief underwriting officer for AXA XL. "When you buy an insurance policy, you are buying a network of professional crisis managers." In this episode of "Cybersecurity Insights," Benet discussed present and future cybersecurity insurance issues.
Hospital chain CommonSpirit has upped its estimate on the financial toll incurred by a ransomware incident last fall that disrupted IT systems and patient services at some of its facilities for weeks. But company officials reportedly expect many of the costs to be covered by the company's insurance.
Cyber insurance applicants should provide detailed responses that clarify the nature of their business to avoid claim denials in the event of a security incident. Pasich LLP Senior Managing Associate Tae Andrews urged applicants to "interrogate the interrogator" to push back on vague questions.
Most people would assume ransomware tops the list of cyber insurance claims. Not so these days. Most claims are originating from third-party attacks, said Peter Hedberg of Corvus Insurance and Christopher J. Seusing of law firm Wood Smith Henning & Berman.
Members of a U.S. House subcommittee got their first look at the Biden administration's new national cybersecurity strategy and quizzed the White House cybersecurity director on the timeline, proposed regulations and incentives for private businesses.
A French law requiring companies to report cyber incidents to authorities within 72 hours or lose their eligibility for cyber insurance reimbursement has practitioners scratching their heads. Global companies with headquarters in France will have the most uncertainty, experts say.
Arctic Wolf has expanded its security operations platform into threat intelligence, incident response and cyber insurance, says CEO Nick Schneider. The company has focused on putting businesses in the best possible position to answer questions from insurance carriers following a security incident.
Premiums for cyber insurance have climbed sharply along with global rates of ransomware. But signs of increased competition and capital inflows suggest the cyber insurance market may be softening, Marsh executive Sarah Stephens told a U.K. parliamentary committee.
A periodic stress test assessment of U.K. insurers by the Bank of England found underwriters mostly withstood extreme cyber events. Still, underwriters may not be operating from the same set of assumptions when it comes to the likelihood of having to manage an actual extreme cyber event.