Cyber Insurance: Want a Discount?Why One Insurer is Reducing Premiums for Those Who Are HITRUST CSF Certified
Cyber insurers assessing whether to offer coverage to medical centers, clinics and other healthcare providers attempt to size up their security risks, based, in part on the governance programs and security frameworks they've implemented.
One cyber insurer, Allied World U.S., a unit of Allied World Assurance Co., is going one step further. It's offering premium discounts of up to 30 percent to those healthcare organizations that are certified - or at least have been assessed and scored favorably - as meeting the requirements of the Healthcare Information Trust Alliance's Common Security Framework, or CSF. Some may also qualify for higher coverage limits.
HITRUST CSF is a risk and compliance management framework designed for use by any organization that creates, accesses, stores or exchanges personal health and financial information. HITRUST says CSF leverages nationally and internationally accepted standards, including HIPAA, NIST, PCI, ISO and COBIT "to ensure a comprehensive set of baseline security controls."
Some security and privacy experts say many cyber insurers are scrambling to find better ways to assess the risks that potential clients face.
"The cyber insurance industry is a hotly competitive market at this time, with significant pressures because there isn't the same volume of data about these costs as there are in many other aspects of the insurance industry," says privacy attorney Kirk Nahra of the law firm Wiley Rein LLP. "So, companies are looking for good ways to evaluate risks from their clients or potential clients."
HITRUST has been working with cyber insurance broker Willis Towers Watson over the last several months to educate cyber insurers, including Allied World, about the use of CSF and the HITRUST CSF Assurance program so that they might consider adherence to CSF in their underwriting decisions about healthcare sector organizations, says Daniel Nutkis, HITRUST's CEO.
The CSF Assurance program enables organizations to be assessed and scored for compliance with the CSF requirements.
Achieving CSF certification is not easy because the framework is so comprehensive, security experts note. Nor is certification inexpensive because it generally requires third-party assessors to score an organization's compliance with the framework. But those factors also help to make CSF certification an objective benchmark for insurers to consider in their cyber policy decisions.
The HITRUST CSF "is broadly applicable in a variety of settings [and] an effective measuring stick for effective security controls," Nahra says.
By using the HITRUST framework, Nahra says, "insurers can find a way to standardize their risk evaluation, and potential insureds can both improve their overall practices and get better rates for this coverage. It is to everyone's benefit to make this approach more broadly available and more broadly used."
The efforts of Willis Towers Watson and HITRUST to educate cyber insurers on the CSF for consideration on the issuance of policies, "represents a significant step toward creating common standards for underwriting review, and adds significant efficiencies to the existing process," says Joshua Ladeau, practice lead of privacy and network security at Allied World U.S. "Providing streamlined, end-to-end privacy and network security-related solutions is an enduring theme for Allied World, and helping to spearhead this initiative is consistent with that theme."
Demonstrating Security Efforts
CSF certification and assessment scores help to illustrate for cyber insurers how a healthcare entity is attempting to improve its security risk profile, says privacy attorney Gerry Hinkley, of the law firm Pillsbury Winthrop Shaw Pittman LLP.
"Most sophisticated customers seek discounts for all types of coverages based on adherence to best practices for risk mitigation and histories of no claims," Hinkley notes. "In the area of cyber coverage, insurers seek objective ways to evaluate the underwriting risk, and looking to third party accreditation like HITRUST CSF is a logical approach because it relieves the insurer of having to develop and apply its own metrics to an ever changing landscape, thus reducing the insurer's underwriting costs."
Eventually, however, other benchmarks could emerge, he notes. "I expect other accrediting bodies will seek to establish theirs as a gold standard that saves their customers money in a palpable way through reduced insurance premiums."
Pamela Arora, CIO of Children's Medical Center Dallas, says her organization already has cyber insurance from a firm other than Allied World, but it hopes to see future coverage benefits and premium rates based on the hospital's HISTRUST CSF certification status. " We look forward to the market gaining understanding and adjusting premiums to match risk level - especially for organizations that proactively work to identify threats, mitigate risks and seek to continually improve their cybersecurity defense posture," she says.
Of course, adherence to HITRUST CSF doesn't eliminate the risk of breaches. Health plan Anthem Inc., a member of the HITRUST executive council that has a representative on its board of directors, last year was the victim of the largest cyberattack in the healthcare sector to date, resulting in a breach affecting nearly 79 million individuals.
Nevertheless, use of HITRUST CSF helps to minimize security risks, Nutkis insists. "This is a very valid tool in looking at transparency of risk, and residual risk," he contends.