Continuously under attack from hackers, DHBs are paying tens to hundreds of thousands of dollars to insure themselves against cyber attacks, although the Ministry of Health currently has no cover, Thomas Coughlan reports.
Cyber security is big news in the insurance business, generating healthy premiums for insurers and large payouts following attacks. New Zealand’s District Health Boards are getting in on the action. With some fending off as many as six cyber attacks a second, DHBs are taking out big cyber policies to help them cope with attacks.
And the costs can be huge. Liam Pomfret, head of cyber and professional indemnity at AIG New Zealand told Newsroom some larger, international companies were covering themselves for “hundreds of millions”.
The DHBs in major cities including Auckland, Counties Manakau, Capital and Coast, Canterbury, and Southern have all taken out cyber insurance, some just recently. Capital and Coast DHB took out cover on July 1 this year.
The Ministry of Health itself does not have cyber insurance, but an OIA request revealed the Ministry was undergoing a “needs analysis” to determine whether to purchase such insurance in the future.
Tens to hundreds of thousands in premiums
Commercial sensitivity means that it is impossible to know just how much cover DHBs have taken or or what they pay in premiums.
Ryan McGehan, cyber underwriter at NZI told Newsroom that DHBs were likely paying tens to hundreds of thousands of dollars in premiums.
“Health related businesses in general will be more expensive because they are deemed to be a much higher risk,” McGehan said.
“DHBs are very large and there are lots of records involved so I’d expect it to be very pricey.”
He said that health data was particularly valuable on the black market, which often made health businesses a target for hacking gangs.
Health data contains a wealth of information for identity thieves, including full names, addresses, birth dates, policy numbers and diagnosis codes. Stolen patient data sells for even more than stolen credit card details on the black market.
Pomfret said large New Zealand corporates would be paying “tens to hundreds of thousands of dollars” depending on the excess they wanted to have and the limits they wanted to buy.
Businesses can purchase cover for first and third party cyber related costs, which help cover the large liability costs associated with a cyber data breach.
An OIA from Wellington’s Capital and Coast DHB revealed its cover included notification costs, data recovery costs, business interruption losses, third party liability costs, defence costs, financial penalties and investigation costs.
Payouts help pay not just for the cost of getting the hospital back to functioning, but for any liabilities incurred as a result of lost data.
Some insurers even offer to pay for public relations experts to mitigate reputational damage.
Research undertaken by the National Cybersecurity Alliance in the United States found that as many as 60 percent of small to medium sized businesses fold in the six months following a cyber attack.
Financial penalties for breaching client privacy can be severe. The European Union’s GDPR, which came into force this year can fine firms 4 percent of global revenue or €20 million, whichever is greater.
“No faith in the ministry and their oversight of cyber security”
National’s cybersecurity spokesperson Shane Reti said it was reassuring that DHBs were taking the issue seriously
“I’m pleased the DHBs have cyber insurance, I hope the scope of that insurance is appropriate,” Reti said.
He said the cost of insurance was a reflection of the threat faced.
“It is important and it is expensive,” he said.
But he was concerned the Ministry of Health had not taken out a cyber insurance policy.
“I don’t have faith in the ministry and their oversight of cyber security”
He said it was crucial for DHBs to take measures to reduce cyber risk, which would flow on to reduced premium costs.
A fast growing industry
Cyber insurance is one of the fastest-growing sectors of the the insurance sector. Insurer Chubb recorded there were 17 insurers selling cyber cover in 2007, generating $350 million in premiums a year. That number has risen to 65 insurers selling $3.5 billion of insurance a year, according to The Financial Times.
And insurers are gearing up for massive payouts. Bloomberg reported last year the next ‘wannacry’ attack, the North Korean cyber attack that crippled several hospitals in the UK, could cost insurers $2.5 billion.
McGhehan said the industry has grown enormously in the last seven years. When NZI’s cyber product was launched two and a half years ago, it was the most successful new product launch the company had ever had.
This article was first published on Newsroom Pro on Wednesday, September 13 at 6.30 pm. Subscribe to Newsroom Pro here.