Key Reasons to Consider Buying Cyber Insurance

Michael J. Sacopulos, JD


April 30, 2015

In This Article

What Else to Consider

Not all cyber policies cover "media liability" claims. For example, a Midwestern aesthetic medicine practice had a new website built. The site displayed before-and-after photos of patients to demonstrate the different procedures performed by the practice and its quality of medical care. Although everyone shown had signed releases for the use of their photographs, the patients hadn't consented to the use of their names. Names weren't directly posted on the website, but were contained in the file name of each photo. When a cursor was placed on top of a photo, the file name would appear, triggering a breach. This is the type of breach—along with postings to such sites as Facebook and LinkedIn—that may be excluded under some cyber policies.

Another large category that cyber policies don't cover is loss of business. Take the Alabama internal medicine practice whose server was so infected with malware that the practice had to shut down for several days to allow IT experts time to fix the system. Whereas this loss of revenue might be covered under a standard business interruption policy, it's not covered under the typical cyber policy.

Closely related to a loss from business interruption is a loss of goodwill. Some studies show that as many as 30% of patients affected by a data breach will not return to a practice. Although it is admittedly very tough to quantify in dollars and cents, this is a long-term loss to the practice that cyber policies don't cover.

A Cyber Insurance Checklist

Once your practice has decided it needs cyber insurance, here's what to do next:

1. Pick the right insurance company. All of the experts agree that selection of your insurance company or broker is the most important first step. "It's critical that you purchase coverage from a carrier with long-standing expertise in cyber insurance, and with a proven track record of assisting insureds and paying claims," says Bob Wice.

2. Buy enough coverage. Cyber claims can be very expensive. Avoid the rookie mistake of buying too little coverage. Knowing that breaches cost at least $100—and sometimes as much as $200—per record/patient involved will help you gauge your exposure. Even smaller practices should consider $1 million in cyber coverage (which should cost $1000-$2000 a year, depending on the deductible).

3. Work with a proactive company. Many cyber insurance carriers offer services to help their policyholders avoid breaches. "Some carriers have devices designed to act as an additional layer of security against various forms of malware," says Michelle Lopilato of HUB International. Take advantage of these services.

4. Know what your policy doesn't cover. Cyber insurance policies can have many exclusions or options to expand coverage. Don't assume that once you buy a policy, you're covered. Work with your broker or insurer to fully understand coverage options and limitations. And also ask what's required of your practice (hardware and software, for instance) in order for your coverage to remain up to date.

5. Have a business interruption policy, too. Cyber insurance won't typically cover lost revenue suffered from a major cyber event. A business interruption policy will help if your practice's IT system is down for a prolonged period of time. (Expect to pay about $0000 a year for this type of coverage.)

Clear and Present Danger

As you can see, being hacked or suffering a cyber attack can be extremely costly. Remember the New England radiology practice that had to spend more than $800,000 after being hacked? It turns out that the hacker wasn't after patient information. He was a teenager from England simply looking for greater bandwidth to play the video game "Call of Duty." Thankfully for the radiology practice, the kid didn't disseminate any personal information, such birth dates or Social Security numbers.

The New England radiologists learned a very expensive lesson about protecting their electronic files. That said, consider letting this be your "call of duty" to protect your practice from cyber attacks, by purchasing a cyber insurance policy.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.