Global cyberattacks grew 38% between 2021 and 2022, and experts believe the risk will only continue to escalate. In the news, a steady stream of reports detail the myriad ways that sensitive data can be exposed — and show that the risk can come from outside an organization or within it.
Earlier this month, Kris 6 News reported that a teenager spent weeks pretending to be a traveling physician assistant at two hospitals in Corpus Christi, Texas, last spring, gaining access to the emergency room, ICU, and other departments after a volunteer coordinator reluctantly gave him a badge. Although the teen, who was eventually arrested and pled guilty to two felony charges, reportedly did not interact with patients or appear to have stolen data, the unusual incident reveals one of many potential vulnerabilities, said Gabriel Villalpando, Broker, Professional Liability, Burns & Wilcox, Pittsburgh, Pennsylvania.
In recent weeks, separate cyberattacks disrupted learning at two school districts; Rochester Public Schools in Minnesota canceled classes for 42 schools while it investigated a cyber incident, and a ransomware attack against Jefferson County Schools in Alabama left students without internet and most technology for two weeks, according to reports.
There is no shortage of similar examples, said Karl Olson, Vice President, Professional & Management Liability Practice Leader, Burns & Wilcox Brokerage, San Francisco, California. Each case points to the need for robust data security protocols, as well as risk transfer through Cyber & Privacy Liability Insurance.
“Reports of data breaches are prevalent,” Olson said. “On the flip side of that, a few things can help: one is purchasing market-competitive insurance coverage, and second is working with a broker who knows the coverage and having awareness of all of the risk management services that those policies offer.”
Ransomware attacks becoming more common
According to a recent international survey from Barracuda Networks, Inc., about 73% of organizations had experienced a ransomware attack during 2022 and 38% were targeted twice. Email was the most common way that businesses were targeted, Property Casualty 360 reported. In the U.S., 68% of organizations experienced a ransomware attack and paid the ransom in 2022, according to Statista, and in March the White House classified ransomware as a national security threat, Forbes reported. In Canada, cyberattacks impacted 85.7% of Canadian companies in 2021, with 61.2% of companies experiencing a ransomware attack that year, according to a February 2023 report from Comparitech.
While all industries can be affected by cybercrime, the healthcare, financial services, and manufacturing sectors are among the most impacted in the U.S., Statista reported. In Canada, telecom and tech companies experienced the most cyberattacks in 2021, followed by healthcare and public-sector entities, according to PwC Canada.
“Patient records contain a lot of information, from names and social security numbers to payment information and Medicare or Medicaid data,” Villalpando said. “That information can then be used in social engineering and spear-phishing attacks. The medical record tends to have information that can do a lot of damage.”
Certain industries, such as health care, are also more vulnerable due to the impact a breach can have on daily operations. When Universal Health Services suffered a major cyberattack in 2020 that shut down its U.S. network, it reported an estimated “unfavorable impact” of $67 million, most of which was linked to lost income due to seeing fewer patients, Healthcare IT News reported in 2021. This month in Cornwall, Ontario, a cyberattack against a hospital’s computer network continued to cause patient delays for non-urgent care almost a week after the incident was identified, CTV News reported April 17.
The good news is there are a lot more Cyber & Privacy Liability Insurance carriers out there today providing coverage, so there are more options.
“For a hospital, school, warehouse, or even a trucking company to lose their ability to access their network, that is extremely disruptive and can cause lost revenue, in addition to the cost of remediating the extortion situation or rebuilding their network,” Olson explained.
An organization’s Cyber & Privacy Liability Insurance can pick up these costs, as well as breach notification, regulatory fines, reputational damage, and other expenses, including legal defense and settlements in the event the company is sued over the incident. Excess Liability Insurance may also be beneficial for organizations seeking additional liability limits.
“The good news is there are a lot more Cyber & Privacy Liability Insurance carriers out there today providing coverage, so there are more options,” Olson said, but it is imperative that organizations understand their risk. “Large companies are usually pretty well aware of their cyber risk and will have more developed IT departments and more risk management, but small and middle markets may not be in pursuit of that yet.”
‘Human error’ not the only consideration
According to Verizon’s 2022 Data Breach Investigations Report that evaluated 23,000 cyber incidents worldwide, 82% of data breaches involved a human element, including social attacks, errors, and misuse. Whether data is exposed by a hospital worker mistakenly providing facility access to an unauthorized individual or by a school administrator clicking on a phishing link in an email, the risk of “human error” remains a common link in many breaches, Villalpando said. Healthcare companies and other organizations have a duty “to ensure gatekeeping, and to protect the confidentiality of not just patients but also employees and even policies and procedures,” he said.
“A great deal of cyber crimes are facilitated through human error, whether over the internet or over the desk,” Villalpando said, pointing to the recent incident involving the teen posing as a physician assistant. “Cyberattacks generally occur across oceans, but that particular teenage imposter had access to systems and could have leaked data from inside the facility as opposed to thousands of miles away. It just goes to show just how close some breaches actually are.”
A great deal of cyber crimes are facilitated through human error, whether over the internet or over the desk.
At the same time, mitigating against human error through staff training and basic digital safeguards is not enough to address the constant evolution of cyber risk, Olson noted. Companies can improve their cybersecurity by limiting the use and access of personal information, but they must also prepare for “much more coordinated efforts by bad actors” to access data, which could include emulating other users’ identities and other difficult-to-detect tactics.
“Hackers are becoming much more sophisticated,” Olson said. “They get better at what they are doing every year, so the countermeasures become more commonplace but the bad actors become better at subverting those.”
Preparing for an evolving threat
As cyber risks continue to evolve, an organization’s best defense includes staying up to date on cybersecurity best practices. According to Villalpando and Olson, much of this can be provided through the risk management services included in a Cyber & Privacy Liability Insurance policy.
“The insurance coverage itself is only a small part of what those policies offer,” Villalpando said. “The biggest value is in the risk management that Cyber & Privacy Liability Insurance policies provide. I would advise health care companies to take advantage of all of the services those carriers offer and engage with those risk managers to identify potential sources of breaches and reinforce employee behaviors to protect patient data, employee data, and the premises in general.”
The biggest value is in the risk management that Cyber & Privacy Liability Insurance policies provide.
While the policies can help companies pay for a variety of cyberattack-related expenses, avoiding these incidents to begin with is the ultimate goal, he said.
“It is incumbent upon these organizations to do the risk management to really seal up their records and processes,” Villalpando said, adding that the “thought leadership of the carriers” is invaluable during this process. “They can assist with putting processes in place and strengthening procedures to avoid mistakes.”
Hackers are becoming much more sophisticated. They get better at what they are doing every year, so the countermeasures become more commonplace but the bad actors become better at subverting those.
The best type of data security response “happens before any event occurs,” Olson agreed.
“It could be the proactive advice about network security and data architecture or creating and then following proper protocols. Insurance carriers can provide information on that and work alongside their insureds to improve their risk stance,” he said. “When you put in the work upfront to create a secure environment, if something does happen, you are going to be better prepared and equipped to respond to it. It is usually in the organization’s best interest to find a cyber policy that matches up with their philosophy and provides access to vendors so that relationships can be established in advance of any sort of need for a claim response.”