Best Practices for Insuring Medical Practices from Cyber Risk

Karin Landry Spring Consulting Group, LLC Managing Partner

3 “There are two kinds of companies today, those who know they have been hacked, and those who don’t.” James Comey FBI Director (USA Today, May 2014)

4 Cyber Risk Trend/Statistics 2013 Verizon Data Breach Study Organized crime accounts for 55% of all breaches studied Organizations under 100 employees account for 31% of all breaches 66% of breaches took months to discover 69% of breaches are discovered by external party 78% of the breaches are considered low to very low difficulty Method of action: –40% Malware –52% Hacking Most desired data for organized crime: –Payment card information –Authentication credentials –Bank account information 48% of the 47,000 security incidents studied were attributed to errors such as: –Lost devices –Publishing errors –Mis-delivered /mail

5 True Cost of a Data Breach $188 Per Record for U.S.* Forensics (determining where, what and how much data was breached) Notification (as required by law) Fines/Penalties Loss of Customers/ Donors Damage Control Expenses (to retain clients, restore confidence in org. and restore reputation) NOTE: This study DOES NOT factor in costs associated with defense costs or liability payments made *Source: 2013 Cost of a Data Breach Study – Ponemon Institute

6 Anatomy of a Data Breach Incident Malicious attack, employee error, or theft Discovery Victims are sometimes the last to know. Usually discovered within months Forensics Analysis What, Where and How Response Compliance to regulatory requirements for notification Damage Control Offering credit monitoring /fraud monitoring to impacted parties

7 Common Cyber Risk Coverages Media/Website Publishing Liability Security Breach Liability Crime - Extortion and computer fraud/funds transfer fraud Restoration/ Replacement of Electronic Data Business Income/Extra Expense Security Breach Expense Public Relations Expense Fines/Penalties - Regulatory proceedings and payment card industry Employee Privacy Liability

8 Regulatory Considerations: Data Breach Notification Laws In effect in 47 states except: –Alabama –New Mexico –South Dakota Subject to statutory fines/penalties –Exemptions and notification deadlines vary by state HIPAA /HITECH law to entities that keep patient health information –Enforced by the Department of Health/Human Services

9 Social Media Exposures Content Potentially liable for content (i.e., Facebook page, YouTube video, blog on your website) Privacy Content posted can breach a person’s privacy or lead to identity theft Intellectual Property Infringement Copyright/trademark Virus/Malware Could be uploaded to your social media site that infects other members who click on that link Reputational/Public Relations Risk Certain negative content can go viral and reach a critical mass of people in a very short time

10 Risk Management View Cyber viewed as very high profile risk by CEOs, CFOs, treasurers and risk managers Captive may be an excellent alternative to fill gaps between self insurance and true risk transfer –Cyber risk may diversify a captive’s more traditional risk *Source: Business Insurance Survey 56% of risk managers cite cyber risk as “top concern”* 52% of risk managers have dedicated cyber risk insurance policy*

11 How to Price Cyber Insurance The market for network, information security, and privacy (cyber) insurance remained stable in 2013 Recent events will define the market for the next several years Pricing sources: –Commercial market quotes –Broker indications based on: Industry (retail, manufacturing, financial institution) Exposure (credit cards, healthcare personal data, SSNs, HIPAA exposures) Company size (# of customers, # of transactions) –Actuary –Transfer pricing study

Case Study: Nittany Insurance Company

13 Nittany Insurance Company Single-parent Vermont-based captive, owned by The Pennsylvania State University 1992 Established as funding vehicle for hospital professional liability insurance 2000 Expanded to include reinsurance of primary GL and auto coverage Later in 2000’s Added more coverages for convenience of University (i.e. deductible reimbursement for master insurance programs)

14 Penn State University Flagship land-grant University in the Commonwealth of Pennsylvania –However, NOT owned by the State Operating Budget 2013/14: $5 Billion 25,000 full-time faculty and staff, plus another 15,000 part-time employees 93,000 students at 20 campuses Two hotel/conference centers One very large football stadium

15 The Situation Decentralized educational departments and IT networks/ systems 22 million overtly-hostile computer intrusions blocked daily 170,000 accounts receive 3.2 million s daily Over 95 million spam s blocked daily Insurers not interested in covering large research institution with open computing philosophy Commercially available policy forms did not provide needed coverage Wanted a single funnel to accumulate expenses and manage responses to breaches Wanted behavior modification: –Incentivize decentralized units to use good computer security practices

16 The Solution Placed risk in owned captive Key feature of the coverage is a two-tiered deductible –If a unit employs certain “good practices” advocated by IT Security Operation Services, but has a breach anyway, $25,000 deductible –If a unit did not employ “good practices”, and that led or contributed to a breach, $100,000 deductible

17 The Results Firewalls more reliably installed, maintained and patched Security software updated real-time Software contracts routinely scrutinized and include security requirements Actual compromises decreased significantly Release of SSN’s declined from 10,000 at a time to 5-10 in isolated instance

18 Contact Information w w w. s p r i n g g r o u p. c o m Karin Landry Managing Partner Spring Consulting Group, LLC Phone: ; ext. 102