Health insurers are particularly attractive targets for cyber-attacks as the magnitude of information stored about their clients is much more than that held by banks or credit card companies, according to an insight report from Timetric’s Insurance Intelligence Center (IIC).
The IIC report, The Future of Cyber Risk Insurance, explains that cyber risk encompasses damage caused by cyber-attacks and any liability involving compromise of data integrity.
Security breaches are a type of cybercrime that can be the result of one or a combination of the following factors:
- Security breaches through cyber-attacks from external environment, such as cyber extortion or espionage, in order to gain access to an information system
- Unintentional or accidental breach of security, such as information sent to the wrong email or loss of a laptop
- Operational risks due to inappropriate security controls, making IT systems vulnerable
Types of cybercrime include malware, which is software that infiltrates a computer through computer viruses, worms, spyware ad Trojan horses.
Cyber risks have become a severe threat and persistent business risk for the global economy. For example, the total number of reported cyber security incidents grew from 3.4m in 2009 to 42.8m in 2014 at a CAGR of 66%, according to The Global State of Information Security Survey 2015.
In particular, security incidents grew substantially by 48% in 2014; equivalent to 117,339 cyberattacks every day
With that in mind, cyber threat actors such as malicious insiders, hacktivists, nation states and organized cybercriminals continue to develop and advance their techniques to launch cyber-attacks.
The IIC report explains that 2.32m nationals were victims of medical theft identity in the US in 2014 – an increase of 21.7% in comparison to 1.84 million victims in 2013 – according to Fifth Annual Study on Medical Identity Theft by the Ponemon Institute.
Additionally, the digitalisation of records and use of wearable devices in health insurance to monitor the health of policyholders expands the insurer’s exposure to the cyber environment.
The cost to remediate the impact of data breach incidents is increasing along with the rise in the frequency and intensity of cyber incidents.
The average total cost of data breach globally increased from US$3.52m in 2013 to US$3.79m in 2014, according to a 2015 Cost of Data Breach Study-Global Analysis by Ponemon Institute.
Cyber-attacks on health insurers
- Anthem is a major health insurer in the US. It detected a cyber-attack to its IT system on 29 January 2015, which Anthem believes happened over several weeks beginning in early December 2014
- Attackers reportedly gained unauthorized access into Anthem’s Server and IT system, stealing personal information such as address, employment information, income data, and medical IDs / social security number. It was reportedly considered to be a very sophisticated external cyber-attack
- It was reported the personal information of nearly 80m people was affected by the data breach
- Premera Blue Cross (Premera), a health insurer operating in Washington, Alaska and Oregon, announced on 17 March 2015 that the organization had been the target of a cyberattack
- Premera discovered that cyber attackers had executed an attack to gain unauthorized access to its IT systems. Premera’s investigation further revealed that the initial attack occurred on May 5, 2014.
- Premera’s investigation determined that the attackers may have gained unauthorized access to members’ information, which could include members’ name, date of birth, Social Security number, mailing address, email address, telephone number, member identification number, bank account information, and claims information, including clinical information.
- Premera responded by mailing letters to approximately 11 million affected individuals and providing two years of free credit monitoring and identity theft protection services to those individuals
According to the IIC report, cyber cover provided by insurers is generally from a combination of risks arising from cyber incidents relating to network security, data privacy, error and omissions (E&O) and media liability.
It also notes that the cyber insurance market is still in its initial stage of development. This means the product development of cyber insurance products is still not able to match the dynamic nature of cyber risks.
The type of cover and the policy wordings continue to evolve. The definition of terminologies used by the insurer and policy wordings such as terms and conditions and exclusions differ with each policy, as well as from one insurer to another.
Insurers offer cyber insurance to cover first-party as well as third-party losses. First-party cover applies to losses occurred directly to the insured such as damage to the data and systems of an organisation as a result of cyberattack or technological glitch.
Third-party insurance, commonly called cyber-liability insurance, applies to the defence costs, damages and liabilities to third-parties such as customers, business partners.
Ian McKenna, director of the Finance & Technology Research Centre, says it is almost impossible to understate the extent of the threat posed by a cyber-attack.
McKenna explains that rogue nations, terrorists and organised crime all recognise the opportunity this presents them. "Financial networks are a particularly attractive target given their reliance on data, the personal nature of such data and the depth of such organisations financial resources."
In the case of healthcare insurers, McKenna says the challenges are even more intense as so much emerging technology has the potential to transform their market, even redefining the basis on which they assess risk.
McKenna says: "Data security will have a pivotal role in the future of health insurance. Those tasked with ensuring its integrity must be represented at the highest levels of organisations. At the same time we need to see a new breed of data security professional who sees their role as an enabler who helps things happen, rather than the person that is always saying no."
In McKenna’s opinion, organisations who close their door to innovation citing an inability to operate securely will precipitate their own demise. He says: "The most profitable businesses in the future may be those who successful blend the right mix if innovation and data security."
Farida Gibbs, CEO and Founder of Gibbs S3,an IT staffing and project solutions company, says: "The data held by the healthcare industry is a major targets of cyber criminals and it’s not surprising that recent research from PwC has shown that the healthcare sector suffered more breaches in 2014 than any other."
In Gibbs’ view: "This trend shows no sign of slowing down and will ultimately result in customers paying the price. We have seen the massive consequences of the Anthem and Bluecross hacks in America – the organisations that aren’t prioritising their cyber-security defences right now will be the ones in the headlines sooner or later."
Matt Cullen, assistant director and head of strategy at the Association of British Insurers (ABI) explains that while cyber-specific insurance policies have been on the market for a number of years, and are now showing significant growth, they remain a relatively niche purchase for UK firms.
Adding further to the difficulty of ensuring a sustainable cyber market is the lack of data on cyber events, says Cullen.
He says: "Individual insurers are generating data from claims, but as a relatively new risk with relatively low insurance penetration, this remains quite limited information."