Why Are Cyber Insurance Premiums Rising?Mac McMillan of CynergisTek Sizes Up Latest Trends, Including Demands for MFA, PAM
Many healthcare organizations that are up for renewals of cyber insurance policies are seeing big increases in premiums and a long list of new security requirements from their carriers, says Mac McMillan, who recently returned as CEO of CynergisTek, a privacy and security consultancy he co-founded in 1995.
With the surge in ransomware attacks, "cyber insurers are starting to look at these incidents and what they're costing them," McMillan says in an interview with Information Security Media Group. "What we are seeing is that the premiums are going up steeply, and the underwriting requirements are getting more specific."
For instance, some healthcare provider organizations up for cyber policy renewals have told McMillan that their carriers are seeking to increase their premiums four- to sixfold, unless the organizations implement much more robust security controls.
"All of the things that the carriers are asking for are very reasonable from a cybersecurity perspective," he says. "What they're asking for is absolutely needed to have a very resilient program. But unfortunately, we have a lot of health systems that don't have these things implemented."
Some insurance carriers are mandating the implementation of privileged access management solutions to avoid heftier rate hikes, he notes.
"They're talking about multifactor access internally, as opposed to just externally," he says.
"A lot of our hospitals have adopted multifactor authentication as it relates to remote connectivity. … But having MFA internally to the network, for a lot of organizations, is still something that they don't have or do. Partly that's because some people find it to be very inconvenient."
Insurance companies are pushing MFA and PAM "because once hackers get in, the first things they try to do is exploit an elevated privilege to move around laterally within the environment and compromise other parts of the network," McMillan says.
But even when the healthcare organizations agree to implement those and other controls, "they are still expecting a pretty steep increase in premiums," he adds.
In the interview (see audio link below photo), McMillan also discusses:
- The recent ransomware incident at Scripps Health, which the organization says has cost $113 million so far, including $91.6 million in lost revenue - of which only about $21 million will be covered by insurance;
- The level of influence insurers have in decisions by healthcare entities to pay a ransom following a cyberattack;
- Other recent cyber insurance-related trends.
McMillan is co-founder, board member and CEO of CynergisTek Inc., an Austin, Texas-based firm specializing in information security and regulatory compliance in healthcare, financial services and other industries. He has about 40 years of security and risk management experience, including 20 years at the Department of Defense and its Defense Threat Reduction Agency.