John Miller, CEO of Sterling Seacrest Partners, was with us back at the beginning of our podcast experiment. Over 100 episodes ago, in February 2017 on episode 89, we first talked with him about cyber insurance policies. Today we’ve brought John back to discuss how cyber insurance coverage has changed over the last two years.
There are so many discussions about the costs of data breaches and what we need to worry about in our episodes. Today, more than ever, businesses need to evaluate what kind of coverage they have to address these issues. John is very involved in cyber policy specifically in healthcare. He and I have great discussions about scenarios and how they pan out under HIPAA. We are happy he has made time to join us again and drop some knowledge on us.
This article on Dark Reading is a list that reminded me we needed to circle back to this topic.
- Sales loss during downtime
- Losses incurred before a ‘waiting period’ ends
- Third-party mistakes
- New hardware
- Software upgrades
- Social engineering
- Bodily injury or property damage
- PCI fines
- Reputation damage
- Loss from account takeover schemes
While I usually have time to write up a clear detailed post it isn’t as easy when we do an interview. Below are the topics we covered. You will need to listen to the audio to get the details on this one.
- How do you figure out how much cyber coverage you need with so much to consider?
- Do most policies cover all the costs for investigation and recovering from the cyber attacks as well as data breach notifications that may be required?
- What about potential lawsuits or legal action?
- What covers you in a problem that comes from a patient complaint instead of a cyber attack.
- We often hear “I have cyber included in my med mal or my E&O, etc.”, do those policies really cover the things we discussed so far the same as a specific cyber policy would?
- There are different ways you actually are allowed to use some of these policies such as having to use specific vendors based on the type of policy you have in place can vary widely, how can you be sure what you’re actually are getting?
- Are you seeing changes in the way policy applications ask for SRAs and things of the proof sort of documentation other than just a yes or no answer?
- What about the states like Ohio that are adding laws that provide a “safe harbor” if you can prove you have a formal cybersecurity program in place when you have a data breach? These are aimed at brokers specifically so far.
- Do you think those clauses will also show up in policies?
- Do you think many businesses will take advantage of it or even understand it?
- There is talk about making this “safe harbor” option a thing for HIPAA entities. At least, a lot of discussions about it have occurred. No way to know if that would ever come into play.
- What do you think is the most important thing we should tell folks to consider when it comes to evaluating coverage for cyber events and data breaches?
No matter what your size of business, now is the time to determine what cyber insurance coverage you have and what you really need. Contact John and his team for help in doing just that.