Many Hospitals Are Requiring App Developers to Carry Cyber Insurance
Don’t be taken by surprise! Hospitals and other health institutions are now requiring healthcare app developers to have cyber insurance policies in place before app testing or trials can begin. Some require cyber coverage be in place before they will even consider a new app. To developers, this might appear to be nothing more than another hoop to jump through and an additional burden. To hospitals, it’s a smart way to mitigate the risk associated with unfamiliar tools, and protect IT environments and health data from disruption or harm.
Cyber Insurance Is Becoming Ubiquitous in Healthcare
The cyber insurance marketplace is expanding [pdf] rapidly, with more providers offering coverage to a wider range of entities than ever before. For developers, the primary purpose of cyber insurance is to help protect the corporation and its officers in the event of a cyber-attack or data breach. For hospitals, the primary benefit is the same.
It’s important to understand that the vast majority of hospitals today, especially the largest institutions, already carry cyber insurance of various sorts to manage their own risk. This is in addition to whatever types of general (non-cyber) insurance an institution may have. Developers should be aware that many hospital cyber policies require that companies offering new apps, software, or systems to a hospital also have cyber insurance coverage, in addition to any other requirements for general liability, errors-and-omissions, or other types of insurance.
Rather than a burden, developers should see this as an opportunity to rise above their competitors. As long as they are fully HIPAA compliant, developers who have appropriate cyber insurance in place will generally be given far stronger consideration by hospitals than developers who don’t.
Coverages Vary Considerably Among Insurers and Are Not Equally Available
The types of coverages described in our articles are not all equally available. Insurance for losses arising from a breach of customer or employee privacy is easier to find, and there is substantial capacity in the insurance marketplace for this type of coverage. On the other hand, insurance coverage for the ancillary financial losses arising from data breaches, such as lost business income and loss of the value of destroyed information assets, is harder to find.
Premiums for cyber insurance can vary widely. Various reports state that cyber insurance premiums range from $10,000 to $35,000 or more annually for $1 million in coverage. While cyber coverage has become more available, insurers continue to develop their understanding of, and approaches to cyber risks. Some carriers have underwriters with deep knowledge and experience regarding cyber losses, while other carriers do not. As a result, insurers have had difficulty pricing cyber insurance, and there can be large differences (as much as 30 percent or more) between the premiums charged by two different carriers to insure the very same risk.
Experts report [pdf] that the limits of liability purchased by U.S. businesses vary widely. Average policy limits purchased are typically between $1 million and $5 million. Insurance data provider Advisen reports that “For companies with less than $500 million in revenue, policies with limits of between $1 million and $5 million cost between $2,000 and $5,000. For companies with more than $500 million in revenue, for a policy with limits of $5 million to $20 million…premiums will range from $100,000 to $500,000.”
Like other small and midsize businesses, developers are ideal candidates for cyber insurance if they can afford it. This is because developers, like many small businesses, tend to be less prepared for a data breach and less able to absorb the costs associated with a breach. Larger companies, with more substantial risk management and legal departments, are often better equipped technically and financially for a breach. This can make cyber insurance a less effective risk management tool for larger, well-established firms.
Insurers are responding to insurance claims arising from cyber losses on a regular basis. NetDiligence reports that the insurers who have been in the cyber insurance business the longest, ACE, AIG, Beazley and Hiscox, have large books of claims and are handling several claims per week.
Cyber Insurers Will Test Your Data Security
Purchasing cyber insurance is more than just filling out forms and paying premiums. Most cyber insurers today require testing of an applicant’s data security before coverage will be issued, and sometimes, before a quote can be obtained. Developers should be keenly aware that the degree of IT security their app manifests, as well as that of key vendors, will be a major factor in the cost of cyber insurance. The quantity and sensitivity of data an app handles will be considered as well. Testing can involve remote scans, penetration testing, code reviews, or any number of other testing methods. Developers should also consider that cyber insurers are well aware of HIPAA, and if health data is involved, insurers may seek evidence of a developer’s full HIPAA compliance.
Stronger security typically means a lower cost for cyber coverage. This also means that two different developers with similar apps may pay very different cyber insurance premiums for the same coverage, depending on their levels of IT security and the kinds of data their apps process.
Developers may not like the additional expense of cyber insurance. It can seem like more of a burden than a benefit. But cyber insurance is a very effective way to mitigate the risks and fallout from data breaches and security incidents. It’s also a basic requirement hospitals and other healthcare institutions will demand before giving developers and their apps serious consideration. Cyber insurance is one challenge developers should educate themselves on and get ahead of promptly.