Key Reasons to Consider Buying Cyber Insurance

Michael J. Sacopulos, JD


April 30, 2015

In This Article

Filling the Gaps With Cyber Coverage

Purchasing cyber insurance isn't as straightforward as buying an automobile policy because not all policies and insurers are the same. Annual premiums, too, can range wildly. Policy costs are often based upon the practice's gross revenue. For example, $1 million of cyber coverage for a practice grossing less than $1 million a year can cost between $500 and $1500. For practices grossing over $3 million a year, the premium for the same amount of coverage can vary from $2000 to over $3500.

When shopping around, forget about price for the moment and consider the reputation of the company. "Your practice should ensure that its insurer is long-standing in the cyber market and has helped similarly situated insureds through complex privacy breaches," recommends Bob Wice of Beazley, the largest provider of cyber security insurance to hospitals, which has dealt with more than 1500 data breaches to date.

Absolutely, experience is key, agrees Michelle Lopilato, director of cyber and technology solutions at HUB International, a global insurance brokerage firm. She suggests asking insurers how long they've been underwriting cyber risk and how much experience they've had with claims involving medical practices.

Some medical malpractice insurers are now offering cyber coverage. Although you might be tempted to buy it from the same company that provides your professional liability policy, be careful. "I consider the cyber coverage offered by medical malpractice carriers to be reckless in most instances," warns Charlie Bernier of ECBM Insurance Brokers and Consultants. Bernier points to the typically low limits and the normal exclusion of first-party claims—which would be those that directly affect you, the policyholder. In other words, claims in certain circumstances might only be paid to third parties, such as persons or entities that can show a loss (patients, for example). "First parties" are the people buying the policy, and "third parties" are everyone else; patients, business associates, and so on.

Bernier further cautions, "Fines and penalties authorized by HIPAA and other regulations are rarely covered. The defense costs are covered, but as every practice knows, the real costs are in the fines."

Know What the Policy Excludes

Once you've selected a cyber insurance carrier, the next step is to focus on what the policy covers and what it excludes. Here's where things get tricky.

For example, take your smartphone. Most policies cover mobile devices. As Ryan Gibney, assistant vice president in the cyber liability team for Lockton, a risk management provider, states, "Any information the healthcare provider collects will be covered, and it doesn't matter where it's stored. It can be stored in a physical file, on a laptop, on a cellphone, or on a backup tape."

Great. But here's the problem: Some policies exclude unencrypted mobile devices. Therefore, a breach of data stored on an encrypted smartphone is covered, but a break-in on an unencrypted smartphone may not be.

In fact, there may be many coverage exceptions in a cyber-insurance policy. Does your practice send out mass emails? If so, don't expect any coverage for claims related to unsolicited communications and the CAN-SPAM Act, the federal law that established rules for commercial email. These types of claims can be excluded.

Frequently, breaches remain undiscovered for months. This lag period between breach and awareness of the breach may trigger an exclusion. Breaches that occurred before the cyber policy went into effect are often not covered—even if the breach was unknown at the time the policy was purchased.

Practices experiencing a breach often offer credit monitoring to affected patients. This is done both to mitigate future claims and to reassure patients. But Bob Wice of Beazley notes that some cyber policies have questionable terms, "such as only covering credit monitoring when the insurer is 'legally required' to do so—which effectively equates to credit monitoring never being covered." This exclusion underscores the need to carefully review a prospective policy.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.