Wellington, September 15, 2018
DHBs could be spending up big on cyber security, but the threats of going without are enormous (Photo for Newsroom by Lynn Grieveson)
Continuously under attack from hackers, District Health Boards (DHBs) are paying tens to hundreds of thousands of dollars to insure themselves against cyber attacks, although the Ministry of Health currently has no cover.
Cyber security is big news in the insurance business, generating healthy premiums for insurers and large pay-outs following attacks.
Big Cyber Policies
With some fending off as many as six cyber attacks a second, DHBs are taking out big cyber policies to help them cope with attacks.
And the costs can be huge. Liam Pomfret, Head of Cyber and Professional Indemnity at AIG New Zealand told Newsroom that some larger, international companies were covering themselves for “hundreds of millions.”
The DHBs in major cities including Auckland, Counties Manukau, Capital and Coast, Canterbury, and Southern have all taken out cyber insurance, some just recently.
Capital and Coast DHB took out cover on July 1 this year.
The Ministry of Health itself does not have cyber insurance, but an OIA request revealed the Ministry was undergoing a “needs analysis” to determine whether to purchase such insurance in the future.
Commercial sensitivity means that it is impossible to know just how much cover DHBs have taken or what they pay in premiums.
Large Premiums payable
Ryan McGehan, Cyber Underwriter at NZI told Newsroom that DHBs were likely paying tens to hundreds of thousands of dollars in premiums.
“Health related businesses in general will be more expensive because they are deemed to be a much higher risk. DHBs are very large and there are lots of records involved; so, I would expect it to be very pricey,” he said.
Mr McGehan said that health data was particularly valuable on the black market, which often made health businesses a target for hacking gangs.
Stolen patient data
Health data contains a wealth of information for identity thieves, including full names, addresses, birth dates, policy numbers and diagnosis codes. Stolen patient data sells for even more than stolen credit card details on the black market.
Pomfret said large New Zealand corporates would be paying “tens to hundreds of thousands of dollars” depending on the excess they wanted to have and the limits they wanted to buy.
Businesses can purchase cover for first and third party cyber related costs, which help cover the large liability costs associated with a cyber data breach.
An OIA from Wellington’s Capital and Coast DHB revealed its cover included notification costs, data recovery costs, business interruption losses, third party liability costs, defence costs, financial penalties and investigation costs.
Pay-outs help pay not just for the cost of getting the hospital back to functioning, but for any liabilities incurred as a result of lost data.
Some insurers even offer to pay for Public Relations experts to mitigate reputational damage.
Research undertaken by the National Cybersecurity Alliance in the United States found that as many as 60% of small to medium-sized businesses fold in the six months following a cyber attack.
Financial penalties for breaching client privacy can be severe.
The European Union’s GDPR, which came into force this year can fine firms 4% of global revenue or €20 million, whichever is greater.
No faith in the Ministry
National’s cybersecurity spokesperson Shane Reti said it was reassuring that DHBs were taking the issue seriously.
“I am pleased the DHBs have cyber insurance, I hope the scope of that insurance is appropriate. The cost of insurance is a reflection of the threat faced. It is important and it is expensive,” he said.
But he was concerned the Ministry of Health had not taken out a cyber insurance policy.
“I don’t have faith in the ministry and their oversight of cyber security,” Mr Reti said.
He said it was crucial for DHBs to take measures to reduce cyber risk, which would flow on to reduced premium costs.
Cyber Insurance is one of the fastest-growing segments of the insurance sector.
Insurer Chubb recorded there were 17 insurers selling cyber cover in 2007, generating $350 million in premiums a year. That number has risen to 65 insurers selling $3.5 billion of insurance a year, according to The Financial Times.
And insurers are gearing up for massive pay-outs. Bloomberg reported last year that the next ‘wannacry’ attack, the North Korean cyber attack that crippled several hospitals in the UK, could cost insurers $2.5 billion.
Mr McGehan said that the industry has grown enormously in the last seven years.
When NZI’s cyber product was launched two and a half years ago, it was the most successful new product launch the company had ever had.
Thomas Coughlan is a Newsroom reporter based in Wellington who writes on policy and economics. The above article has been reproduced under a Special Agreement.