Insurers are reformulating their policies for device firms and others to meet the new threat of cyber attacks in the health-care arena, according to experts from the law firm Covington & Burling.
With the reports of growing numbers of cybersecurity vulnerabilities and ransomware attacks on medical devices, manufacturers should at least start to discuss purchasing cybersecurity insurance to cover the spectrum of risks, according to experts.
Attorneys at Covington & Burling who work with medical device companies to determine what insurance policies they should invest in say there's been a growing interest in the health-care sector in buying cyber insurance. As cybersecurity flaws in medical devices and ransomware attacks have become more prevalent, the experts suspect the trend will only continue.
"We are in the midst of an evolution of the insurance market right now in this area," said Marialuisa Gallozzi, a partner at Covington & Burling who has helped companies develop insurance recovery strategies.
She says cyber insurance policies have been a growing trend but unlike other more traditional policies the market is right now "betwixt and between" in terms of developing specific cyber insurance standards.
"There are these standard forms of insurance coverage that have been around forever like product liability, property insurance, kidnap and ransom insurance, things that are sort of standard parts of a business' portfolio, depending on the size and complexity and location of the business," said Gallozzi. But as the industry has evolved and the threat of cyber attacks has grown, insurance companies have developed exclusions and "sublimits" to restrict payouts for emerging cyber risks in the policies they are offering companies.
In parallel to these exclusions, the insurance industry has developed new cyber insurance products to fill the gaps, she added.
Gallozzi says the industry is "migrating from those traditional policies and moving into cyber insurance policies that pick up different aspects of the risk but may otherwise have fallen in those traditional insurance policies."
John Buchanan, a senior counsel in Covington's Washington office and the firm's first Insurance Practice Group Coordinator, echoes the sentiment. He says that each insurance company has its own proprietary cyber insurance form, and that they have not been standardized the way forms in other areas, such as general liability or, to some degree, first-party property insurance, have.
"It's still really the wild west out there," he said. "Some of the forms are pretty well drafted, while others are very ineptly drafted, and the scope of coverage really varies from form to form. [It requires] very careful attention."
Depending on the policy, some insurance forms may cover issues such as operational disruptions and business interruption costs from cyber attacks, while others may provide coverage for such attacks, but at an extra cost. In some cases, Buchanan says, relevant coverage may not be offered under a specific cyber coverage policy, but rather = under a property policy, where some insurers now offer at least some limited endorsement for business interruptions and physical damage from a cyber attack.
Gallozzi adds that for other insurers, cybersecurity-related coverage may even be found within kidnap and ransom policies.
Coverage Limits: Cyber-Extortion And Other Risk Policies
With the recent rise of ransomware attacks in the health-care space, it is worth remembering, according to Buchanan, that, while some insurers may cover damages from ransomware hacks, many firms have sublimited their cyber-extortion policies, just as the threat has increased. Just in the past two to three years, he says he's noticed insurers setting sublimits that didn't exist before for ransomware payouts.
"I had a client recently who wanted to be sure that they were getting ransomware coverage from their cyber insurer and [the insurer] said, 'Oh sure yeah. We've got a special endorsement for that,'" said Buchanan. "And then the policy came in and the ransomware risk, which is really just a form of cyber-extortion, turned out to be very a very small sublimit, so it was essentially an exclusion for ransomware that was masquerading as sublimited coverage."
The risk of patient injury from device cyber attacks presents "a very tricky medical area that medical device-makers need to pay attention to when they buy their insurance," says John Buchanan, Covington & Burling.
Buchanan says typical policies these days cover up to $10 million in damages for various cyber risks, but, upon closer inspection, companies may find that each of those risks are sublimited well below that maximum amount. In the example he relayed, his client found out that the insurer limited damages for ransomware to only $25,000.
"You can think you're buying $10m worth of cyber coverage, but you have to look very carefully at the list of sublimits on the declarations page to see whether in fact you're getting that full $10m for all the risks you are most concerned about," added Buchanan.
Another area he says medical device companies should look at when buying insurance, in general, is coverage for regulatory investigations, which in some cases can be between 25-50% of the total coverage limit.
Gallozzi says sublimiting isn't unique to cybersecurity insurance policies and happens in other regulated industries as well. She points out that in product recall situations, a company may think they have up to a million dollars' worth of coverage, but, in practice, are only covered at a fraction of the cost.
" It's $25,000 out of a million-dollar limit so they can say they are offering you coverage, but in terms of actually giving you meaningful protection, there's not a lot there," she added.
So far, hackers have demanded relatively low ransom amounts for the attacks, such as the $300 ransom for the Petya worm that captured global attention this summer. (Also see "Security Firm Confirms 'Petya' Has Affected Medical Devices" - Medtech Insight, 4 Jul, 2017.) However, that may not always be the case. Also, some ransomware policies may cover all costs associated with a hack, including the ransom payoff and other ancillary costs, such as forensics costs and the business interruption cost, which may be well above the sublimit.
"In fairness, some of these ransomware endorsements are actually confined to the actual ransom," added Buchanan. "$25,000 so far would be fairly enough to hackers, seemingly."
Privacy At A Price
While ransomware risk is a fairly new phenomenon, a more traditional and common cyber risk is data-breach. In fact, it may be the biggest cyber risk, according to Jeff Kiburtz, a special counsel at Covington, who specializes in commercial insurance issues including cyber coverage. Historically, data-breach insurance costs that led to privacy violations were covered by virtually every business organization, and depending on federal and local statutes, the costs were relatively low. However, that's not the case anymore.
"With the accumulation of data and some of the earlier privacy breaches, all of a sudden these insurance companies started to realize they could have very very substantial liability. We're talking about [class action lawsuits] that have for example medical information disclosed on the internet," he said. "That could be $5,000 per violation; you have 180,000 class members, you have massive numbers and potential liability in very very high amounts."
As a result, some insurance providers started excluding disclosure of private information by electronic means in their policies, though it took them some time to figure out the wording, according to Kiburtz.
In many cases coverage for privacy violations is covered under third-party liability coverage, where a company pays compensation to consumers for any perceived damages. There's also a separate bucket of coverage companies buy that helps pay for their legal costs when a case is brought against them for privacy disclosures.
Kiburtz says that with the advent of privacy laws, law-makers around the country started passing legislation requiring companies to issue notices of disclosures when there may have been a privacy violation. Those costs can be substantially high and should be something manufacturers should be aware of when looking to buy insurance coverage. Companies should also think about the internal costs of figuring out how extensive a breach was, what it takes to patch the breach and how to prevent it in the future.
"Those costs can be enormous and they can be in the tens of millions of dollars when you have some of these state-sponsored cyber attackers that get far into these sophisticated networks," said Kiburtz. "There's the whole [theory] of how do you figure this out and how do you get them out and that costs a lot of money, and a lot of time that could be called forensic costs."
Cyber-Physical: Into The Realm Of Patient Harm
In the case of medical devices, another issue to think about is who bares the responsibility when a cyberattack results in patient harm or privacy violations.
Buchanan says that regulators and plaintiff lawyers, in general, try to cast as wide a net of responsibility as possible over device-makers and health-care providers including hospitals. If the hospital is relatively small and the manufacturer is large, then, as a practical matter, the manufacturer may end up paying a larger share of the payout, regardless of whether the manufacturer finds that a fair judgment.
Cybersecurity experts agree that ransomware attacks are on the rise and are likely to become more sophisticated. This, say the Covington attorneys, means the need for cyber insurance will only grow for medical device-makers. And considering that such attacks could lead to actual physical injury, also known as cyber-physical loss, the potential risk to device-makers is greater than just a privacy violation.
"From an insurance perspective, how compensation for injuries are dealt with is totally separate and raises unique and difficult issues, I think, for device companies and for the insurance industry," said Buchanan.
He notes that most cyber insurers may not worry about pricing cyber-physical risk because their policies often contain exclusions for bodily injury and property damage. He adds that gaps in the typical cyber insurance coverage means the cost of the risk would have to be picked up through other policies, if at all.
Buchanan says if a company thinks it’s products might present cyber-physical risks, it should look very closely at its policies to figure out which, if any, are likely to provide coverage. On top of exclusions for bodily injury and property damage in many cyber insurance forms, coverage may also not be certain under professional liability/ errors and omissions, or E&O, policies due to exclusions for physical injuries or certain cyber risks, depending on the policy. He adds, similarly, coverage for cyber-related bodily injury or property damage may not be available under general or products liability policies due to so-called "cyber" or "data breach" exclusions that are commonly found in more recent versions of these policies.
In May 2014, the Insurance Services Office, an organization that develops standard-form policies for use by the insurance industry, issued two new versions of exclusions focused on certain types of cyber liability.
Although one of these versions expressly preserves coverage for bodily injury, Buchanan is concerned that insurers might broadly construe these exclusions as cutting off a broader range of cyber-physical risks than was intended. But even where coverage is available under general or products liability policies, some life sciences companies have large self-insured retentions that could limit their ability to effectively access that coverage.
"For some of these big [medical products] companies, it may not kick in below an astronomical number like half a billion dollars or something or there are specialty insurance products that are tailored to fill in gaps like this physical bodily injury caused by a hack," Buchanan added.
Overall, Buchanan believes that cyber-physical risk presents "a very tricky medical area that medical device-makers need to pay attention to when they buy their insurance, whether that's a risk their insurance covers, or if they have to get additional insurance or if that's a risk they're willing to live without."
Cyber Insurance Shopping:A Good Exercise
Overall, the attorney's state that cyber insurance should be considered by all companies, including medical device manufacturers. At minimum, they say, the exploration process helps a firm better understand its potential vulnerabilities and decide whether it should be covered.
"I would not advise any client in this day and age not to give careful consideration to cyber insurance," said Buchanan. "I think they need to look at it very carefully and in most instances, I would urge them to buy it for the privacy and ransomware, social engineering risk that any company is subject to.
"That's kind of a generic risk and cyber insurance is aimed at that and it should be at least considered part of an overall enterprise risk management program," he added.
Gallozzi says that while cyber insurance policy applications have evolved substantially and some brokers have tried to standardize the forms, the process requires a tremendous amount of information and detail from the potential insurance-holders. "You do have to take a step back and look across at your existing portfolio because the answer to these protections may not all be in one place."
Kiburtz says the process is particularly useful for younger companies and start-ups to help them better understand their coverage. He says when considering buying cyber insurance, device-makers should also look at their professional liability, general liability and product liability coverage as well, to figure out where the gaps and overlaps may be.
"As technology changes, and we're seeing it particularly with companies moving into the digital health space, where you have things that sort of feel like products but at the same time they feel like professional services and the distinction between traditional products risks and professional services risks," said Kiburtz. "There's typically an exclusion for professional services under many products liability or general liability policies. How well the pieces fit together is not necessarily intuitive and I don't think people should assume all their insurances are going to provide the different coverages, that they're going to be gap free when they're moving across programs, particularly in the context of these newer risks."
Traditionally in the medical field, hospitals bought professional liability insurance to protect themselves from potential malpractice lawsuit, Kiburtz says. However, there's been growing interest in recent years in what is called miscellaneous professional liability insurance. or technology errors and omissions insurance. because more and more companies, including those in the medtech sector, are blurring the line between a product and a service.
Buchanan agrees, stating that technology errors and omissions insurance, or E&O, have flourished in recent years because software products could not be readily interpreted as a product or service.
"I do think some of the overlap with some of these medical devices that have a very large software component...the technology E&O will be a necessary part of the program they have to look at," he added. "It may be integrated as part of their cyber policy or freestanding, but one way or another it will probably be a part of the insurance that a lot of medical device manufacturers have to look at and evaluate."
From the editors of The Gray Sheet