Q & A Session with John Backer, CPA
of Gracey-Backer, Inc. Insurance
John Gracey Backer, CPA, embodies a legacy of excellence and dedication within Gracey-Backer, Inc., an independent insurance agency headquartered in Delray Beach, Florida. Graduating cum laude from Auburn University with a BSBA in Finance and Accounting, followed by a Masters of Accountancy, Backer joined the family business in 2011, marking the fourth generation of ownership. Established in 1925, Gracey-Backer, Inc. has evolved to serve clients across Florida and the Southeastern United States. Specializing in various insurance sectors, including personal, professional, and commercial coverage, the agency boasts a team of seasoned professionals committed to providing unparalleled service. Guided by principles of integrity, honesty, and transparency, both to clients and insurance partners, Gracey-Backer, Inc. ensures that every client’s needs are met with tailored solutions and unwavering support.
It is a pleasure to be with you today to discuss such an important topic. The cyber insurance world is changing constantly, and policies and underwriting guidelines are continually adapting. About five years ago, only 20% of new clients would purchase cyber insurance. Now, that number is closer to 80%, with most seeing it as necessary, similar to general liability or malpractice insurance.
Our firm is unique in that we exclusively focus on the healthcare space, meaning physicians and surgeons, oral and maxillofacial surgeons, dentists, and dental specialties.
Healthcare professionals are increasingly vulnerable to cyber hacking, especially now that they keep electronic medical records, engage in telemedicine, transmit information by email formerly transmitted face-to-face, and create sophisticated websites.
Exposures include e-theft, destruction of patient data, libel and slander, e-vandalism, copyright infringement, denial of services, and other growing threats.
Threats from data breaches come from unexpected places and are all-encompassing:
Threats from outside the office- Including hacks from criminals and former employees with access to company information.
Threats from inside the office include employees, management, independent contractors, and interns with access to sensitive patient data.
Third-Party, Including suppliers, vendors, host providers, and outsourced IT organizations or persons.
Each of these threats can lead to claims for breach of privacy, identity theft, infringement of intellectual property rights, and inappropriate billing, among others.
Q. What is Cybersecurity Insurance?
A.) To protect against cyber liability threats, healthcare professionals and practices invest in Cyber Liability Insurance. This policy combines third-party (cyber liability) and first-party (cyber crime expense) coverages into one policy and provides risk management support to reduce the risk of cyber claims.
The generic term “Cyber Liability” insurance addresses risks associated with confidential information or data in various forms, either digital or paper.
Medical and dental offices, regardless of their size, their specialty, or their location, need to ask themselves whether they need cyber liability insurance. Medical and dental offices are especially vulnerable to cyber loss because they deal with personal, financial, and health-related information. The exposure is amplified because this information is usually kept for an extended period. Healthcare data breaches are on the rise, robbing patients of their privacy, exacerbating medical identity theft, and costing the healthcare industry billions of dollars annually.
Q.) Who Needs Cybersecurity Insurance?
A.) While we focus on insuring the healthcare industry (physicians, oral surgeons, dentists, veterinarians, podiatrists), we believe all businesses should have a cyber insurance policy. Even if you don’t handle personal or patient information, your systems and credit card processing machines can be breached. Hackers don’t discriminate against the size of your business. Malware takes many forms, and attacks are blasted throughout networks to see who will take the bait. Some hacking groups even target smaller companies because they assume they do not have the same budget for security protocols and employee training. 2019 Data reports found that smaller businesses were hit harder by cyber-attacks, and 43% of all breaches in 2019 affected small business victims.
Q. What Does Cybersecurity Insurance Typically Cover?
A.) Cyber insurance policies come in all shapes and sizes at varying price points. The best policies on the market should provide coverage for the following:
3RD PART COVERAGES
Network Security and Privacy Liability: If the insured is sued for damages after a Security/Privacy breach, the policy will pay those damages and defense costs.
Regulatory Investigations, Fines, and Penalties: if a government agency or regulatory authority finds that the insured is guilty of breaching a Privacy Regulation, the policy will pay for the Defense and the civil fines/monetary penalties/monetary amounts they are obligated to deposit into a fund as equitable relief due to the Security/Privacy breach.
Media Liability: coverage if the insured is sued for damages by a third party due to the release/display of Media Material that results in defamation, slander, trade libel, infringement of trademark/copyright, etc.
PCI DSS Assessment Expenses: if there is actual or alleged non-compliance with the Payment Card Industry Data Security Standards by the insured, the policy will pay the Defense costs and the costs, fines, penalties, fraud loss recoveries, etc., required by the Merchant Services Agreement
Breach Management Expenses: coverage when the insured has a legal obligation to notify individuals who are affected by a breach, and they have to contractually indemnify a third party for those costs due to a breach
1ST PARTY COVERAGES
Business Interruption: Coverage if the insured suffers a loss of revenue or extra expenses due to an interruption or outage of their system due to a breach
Contingent Business Interruption: If the insured relies on a third-party provider whose systems are interrupted/are down, and this impacts the insured’s ability to generate revenue and go about their normal operations, the policy will pay for those associated losses and subrogate on their behalf
Digital Asset Destruction, Data Retrieval, and System Restoration: The policy will pay the expenses the insured incurs to restore, recreate, or replace Digital Assets or Computer Systems that are directly impacted by a breach or administrative error
System Failure Coverage: The lost revenue, extra expenses, or data restoration expenses that the insured incurs as a result of an administrative error, computer crime, accidental physical damage, failure in power supply, electrostatic buildup, etc., will be paid by the policy
Social Engineering & Cyber Crime Coverage: Coverage for theft of funds or financial fraud loss that the insured suffers as a result of a malicious actor duping them/impersonating an employee or client
Reputational Loss Coverage: business income loss that the insured suffers due to an Adverse Media event that occurs after a breach; covered by the policy
Cyber Extortion and Ransomware Coverage: The policy will cover the cost of the expenses incurred to avoid further disruption or failure to insured computer systems and the ransom payment required by the malicious actor holding their data hostage
Breach Response and Remediation Expenses: The policy will pay the cost to the insured to hire forensic computer experts to figure out the scope of the breach, notification expenses to share with the affected individuals, legal expenses to determine legal duties and notification laws, costs to provide identity theft or credit monitoring, costs to host a breach hotline for customers, etc.
Q.) How Does Cybersecurity Insurance Work?
A.) Experiencing a data breach or cyber claim can be overwhelming, as many of us are not IT gurus and don’t know where to start dealing with it.
We have seen claims of all different types of offices, and none of them are easy for our clients to deal with. Without a cyber insurance policy, how would you know where to begin when you enter the office to find your data locked and a ransom demand with a timer on the computer screen? The beauty of the policy is that you can call one phone number and have experts on the other end of the line ready to assist you and get your business back on track.
Our clients are healthcare professionals, meaning they are bound by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to safeguard their patient information (protected health information or PHI). The trigger for cyber coverage is generally a breach of data. A breach of this information can occur accidentally, such as leaving patient files exposed in the office for others to see or misplacing a thumb drive or laptop with patient data. Conversely, the breach can be due to a hacker infiltrating your system and holding your data ransom. All of these constitute a breach of HIPAA, a severe violation.
The cyber insurance policy should first assign a breach coach to you, who will act as a quarterback throughout the response process and can facilitate contact with other third-party services that may need to be activated. This person is typically an attorney who will also act as your legal defense if needed.
The first requirement for a HIPAA data breach is to notify the Office of Civil Rights, which is part of the Department of Health and Human Services. They will send a government investigator to your office to figure out what happened, what you had done in the form of employee training, and what IT systems were in place to protect the patient data. The size of the fine will depend on your guilt or the degree of mishandling of the breached data, and there is always a fine.
Within the HIPAA law is another law called the HITECH Act. This law then requires that you notify all of your patients of the breach and provide credit monitoring for a year. This can be very costly.
The cause of the breach will dictate what happens next. If a hacker got into your system, your breach coach will bring in a forensic IT team to figure out what data was accessed, verify that the hacker is not still in your system, and see if any hardware was damaged.
If a hacker gets into your system, a ransom payment is often demanded. This typically comes in the form of bitcoin and is time-sensitive. This random payment is usually large and can normally be negotiated.
If your system is down due to the attack, you will be unable to see patients and, therefore, unable to generate revenue. Finding a cyber policy that covers the lost income during this time is essential.
Some other things may happen in the claim, which is crucial in ensuring that your business does not suffer long-term due to this attack. One of those is your bridge coach bringing in a public relations firm. This firm will help with the notification messaging to your patients and training your staff on how to answer phone calls from affected patients or the media. They can also assist in setting up a call center to field phone calls from your patients, depending on the size of the breach.
This is a generalization of a claim, but it shows that it is anything but a simple process.
Q. What Are the Costs Associated with Cybersecurity Insurance?
A.) Underwriting guidelines are constantly changing based on where claims come from. It would be best to have best-in-class controls to get the best policy and pricing.
Underwriters typically look for segregated backups and multi-factor authentication (MFA) at a minimum. While not always required, these are the minimal controls for an excellent policy.
Segregated backups are vital. Segregation from the local network is critical—offline, offsite, or tape. If there is a breach or incident, the insured can restore from the incident, and the backups aren’t compromised.
To get the best policy, MFA will be required for remote access connections to your network, email accounts, and privileged/administrative user accounts.
Endpoint detection and response (EDR) is important and not necessarily required now, but it may open up access to additional markets. This is more applicable to larger practices or systems.
Underwriters will also generally ask about your employee training regiment. Many cyber breaches and claims are due to human error and blunders, such as clicking a bad link. Underwriters love to see that you are doing social engineering and phishing testing. Knowbe4 is a good vendor for this.
Q.) Are There Gaps in Coverage if My IT Company Already Has Insurance?
A.) This is a widespread misconception. Our clients will say that they have the best IT firm that is insured and the best firewall; therefore, they don’t need their policy. The Office of Civil Rights doesn’t care about this. You still need the coverage because you are still responsible for the care of your data. Legally, regulatory bodies hold the “data owner” responsible, not the “data holder” or “data processor.” If a client or patient entrusts their data to you, it does not matter who you outsource it to on the back end; you are still responsible for communicating with the client and making them whole if something happens to their data. It is also your responsibility to pursue the outsourced provider if it was their fault, but this is where your cyber policy can come into play: pay these costs upfront for you and subrogate on your behalf.
Q. Future Trends in Cyber Insurance
A.) As I mentioned earlier, the market is changing daily. We are seeing more claims (higher frequency) costing more (higher severity). We are still in a “soft” market, so pricing is competitive, and carriers want to write a lot of new business. This is because there is a lot of financial capacity in the market. As with many cycles, this will change, and we will see the pendulum swing to a hard market, where prices are rising, carriers are non-renewing the clients without best-in-class controls, and there are fewer options to obtain a new policy.
Q.) Are There Gaps in Coverage if My IT Company Already Has Insurance?
A.) There are many cyber insurance options, so what are the key things to consider when purchasing a policy?
Earlier, we talked about what a cyber insurance policy covers. At a minimum, you want to ensure that your policy covers these things. There are so many coverages that you’ll want to make sure you have adequate limits.
Ransomware – you’ll want to ensure you have full limits ($1M, $2M, etc.), with language that states the carrier pays directly for the ransom and handles the negotiations for you, rather than you paying out of pocket for these costs.
Social engineering/funds transfer fraud – purchase the highest available limit for this coverage, typically $100k or $250k. Typical claims for this can be convincing you to wire/transfer money to someone impersonating a vendor you usually work with or a hacker getting into your payroll system and paying fake employees. You want to ensure the policy does not contain a verification clause or clawback provision for this coverage. This language states that the carrier can deny the claim if you do not verify the request by a second form of communication, like a phone call. The insurance carriers are concerned that clients aren’t answering the phone and confirming what’s requested is legitimate.
Q. What Should Businesses Look for in a Cybersecurity Insurance Provider?
A.) The best place to find a tremendous cyber policy is through an independent insurance agent who specializes in your industry. Through that agent, you want to find a reputable company with good vendor partnerships and outstanding claims handling. The last thing you want to do is buy the cheapest policy on the market, which could lead to hidden exclusions and a suboptimal claims experience. Many carriers offer a mobile application for your phone where you can report claims. This is a nice feature because you may not have access to your computer systems or cyber policy if a hacker locks up your system.
Some carriers, such as Coalition, offer proactive vulnerability scanning. This is a nice feature that could help you avoid claims.
A more recent addition to cyber policies is a detailed report on the insured organization’s risk exposure, including recommendations on how the insured can proactively mitigate the risk of an attack. These services can cost thousands of dollars but are typically provided for no cost as a value-added benefit with the policy.
—
Conclusion:
The universe of potential plaintiffs is overwhelming when one considers the number of people and organizations on the internet. Cyber insurance stands as an indispensable shield for healthcare providers in today’s digitally-driven landscape. With the healthcare sector increasingly reliant on electronic health records (EHRs), interconnected medical devices, and telemedicine platforms, the vulnerability to cyber threats looms large. A breach in cybersecurity not only jeopardizes patient confidentiality but also poses significant financial and reputational risks to healthcare organizations. Cyber insurance provides a safety net against such perils by offering coverage for expenses related to data breaches, regulatory fines, legal fees, and recovery efforts. Moreover, it often includes proactive measures like risk assessments and cybersecurity training to fortify defenses and mitigate potential breaches. For healthcare providers, investing in cyber insurance isn’t just a prudent decision; it’s an imperative step towards safeguarding patient trust, maintaining regulatory compliance, and ensuring operational resilience in the face of evolving cyber threats.
For those seeking comprehensive cybersecurity insurance solutions, Gracey-Backer stands as a trusted ally. With a legacy of integrity and a commitment to personalized service, contacting Gracey-Backer guarantees access to tailored coverage options and expert guidance. Reach out today to safeguard your business against evolving cyber threats with confidence and peace of mind.
John Backer, CPA, Vice-President
john@gbifl.com | 561-404-5828