Exclusive: Evaluating Cyber Risk Across Your Healthcare Portfolio

Jon Moore, senior vice-president and chief risk officer at healthcare cyber risk management firm Clearwater, reviewed the substantial risks and financial dangers of cybersecurity breaches during a webinar hosted by DealFlow. Highlights of his presentation:

Overall, it takes an average of 212 days to identify a data breach. The average cost of a U.S. data breach is $9.44 million. Historically, healthcare is even higher due to regulations, fines, and other factors, making the average breach about $10 million. According to the Identity Theft Resource Center, reported breaches have soared in recent years, from less than 800 in 2015 to approximately 1,900 in 2021.

Ransomware attacks are rampant across the healthcare industry. Ransomware is one of the most common forms of malware, experts say. Large hospitals and large and small physicians’ practices are often shut down due to these attacks. Even if the ransom is paid, there is no guarantee they can fully recover. Moore believes this will continue to be the biggest problem from a threat perspective.

Individuals are also affected. The number of breaches impacting 500 or more individuals from 2022 to 2021 rose from about 665 to 715, with the number of those impacted rising from approximately 17 million to more than 45 million.

In 2020, the entities most affected were providers, at 53%; business associates at 36%, and payors at 11%. For 2021, the number of providers affected rose to 62%, with some decline in business associates at 23% and 15% of payors. Moore said he was speculating that business associates who are providing services find that payor and providers are increasing their expectations when it comes to the security of their vendors. Vendor risk management is a major issue. They are making a big investment in additional security, Moore said, which may account for the decrease for business associates and providers. 

Whenever there is a breach, almost inevitably it is followed by a class action lawsuit. The predicted next wave of class action lawsuits are:

  • Data privacy and security–42.9%
  • Covid-19–32.7%
  • Employment-related–6.1 %
  • Financial products–6.1%

There was a breach followed by a class action lawsuit when a hospital treating a pregnant woman allegedly lost her newborn baby partly as a result of the impact of a ransomware attack. Cybersecurity incidents can have a direct result on patient care. It’s not just a privacy breach, but causes actual physical harm.

In the SolarWinds case, which has been blamed on Russian hackers, a breach occurred due to malicious code being inserted in the company’s software system. The plaintiff’s attorney sued not only SolarWinds, but also the PE investors, alleging they sacrificed appropriate cybersecurity investment for short-term profits. The court recently denied the bid to throw the case out.

Cyber Liability Insurers Raising Premiums and Revaluating Coverage

Not only are premiums increasingly expensive, there are more limitations and exclusions on coverage. That includes MFA exclusions and specific event exclusions.

  • Sub-limits & coinsurance–limits on all losses associated with cyber extortion.
  • Unsupported technology exclusion–if resulting from outdated or obsolete software.
  • Wrongful collection/BIPA exclusion–exclusion for personal/biometric information collected in violation of applicable law.
  • Unencrypted portable device exclusion–Losses associated with theft or loss of unencrypted laptops, thumb drives, etc.
  • Specific event exclusion–Excluding losses from large vendor-associated breaches like SolarWinds.
  • MFA exclusions–Losses associated with remote access where MFA is not in place.

Organizations must make sure cyberliability insurance is sufficient for their needs. This is having more of an impact and is even a bigger issue than federal compliance.

Cyber risk assessment is a common part of the due diligence process. Organizations must understand what kind of an investment they must make to bring cybersecurity up to a reasonable and appropriate level. From a compliance perspective, reasonable and appropriate is the standard.

Today 77% of M&A recommendations on based on the strength of cybersecurity. The discovery of a previous breach derails 49% of deals. Up to 95% consider cybersecurity a tangible asset.

What Should a PE Firm Do to Understand and Manage a Cybersecurity Risk Access Portfolio?

Traditionally, cyber security risk management occurs below the PE board level. The level of experience and understanding of cybersecurity varies across boards. It’s a common concern with PE investment organizations, and Moore said his clients ask how to educate their partners.

It can come down to insufficient information and quality of data and decision-making at the portfolio level. Cybersecurity risk and cybersecurity program performance measurement can vary considerably.

The objective is to maximize the value of the portfolio investment by managing cyber risk and ensuring that portfolio companies are establishing a risk program. Clearwater manages risk at the individual investment level and understands risk across the portfolio, Moore said.

Responsibility in a Portfolio Approach to CRM

This means understanding and assessing risk, and where it exists within the IT footprint.

Risk can be transferred to insurance or other third parties or mitigated with other safeguards and controls.

Once the decision is made, then risk must be monitored on an ongoing basis. This involves auditing for compliance requirements, penetration testing, and 24/7 monitoring through SOC.

  • Risk management –What is the schedule for responding?
  • Who is responsible for the response?
  • Do you have the resources?
  • Manage cybersecurity spending and make sure it is appropriate for your organization.
  • Will you get sufficient bang for the buck with cybersecurity investment?

 All this activity is at the portfolio company level, Moore said. They should report to the board level, which decides appropriate governance, setting a threshold for risk tolerance. There is always a trade-off in accepting some level of risk. These are board-level decisions. You can then roll up into a PE firm who can look across the portfolio. The firm defines what they want to include as part of a cyber risk management program, such as the depth and breadth of what to collect for investments. Decide metrics and data limits for the program, driving the whole CRM program.

Different questions need to be asked at different tiers:

PE firm

  • What is the cyber risk exposure of our portfolio?
  • What is the potential loss across the portfolio cumulatively and within each port co?
  • How likely are we to experience a breach within a port co and what will be the impact?
  • How mature are the security programs at our port cos?
  • Are our port cos appropriately funding their cybersecurity programs?
  • Are they making progress in reducing risk to an acceptable level?

Portfolio company

  • What is our risk register? That’s the list of open risks and treatment decisions and mitigation decisions.
  • Have we appropriated assigned risk ownership? Sometimes there is no clear understanding of who owns risks within the organization. Knowing you have the risk but didn’t do anything about it is the bigger liability.
  • What is the status of your risk action plan?
  • What measures are we taking to manage risk and mitigate it, and what is the timeline?
  • Do we have sufficient resources to execute the plan? Security spending may be underfunded for the size of the organization. Risks are identified but no adequate funding mechanism.
  • Are we making progress on the plan?

At the Board level

  • What cyber risks does the organization face?
  • Do we have the right cyber talent on the board?
  • Are we compliant with security and privacy laws and regulations?
  • Is there sufficient cyber liability coverage? It’s an increasing problem.
  • Does the leadership team have a plan they are working on to reduce cyber risk to an acceptable level?
  • Are we establishing the right risk tolerance level for the organization?

Information to Collect

  • What is the maturity of the cybersecurity control within cybersecurity?
  • What is the vulnerability in the IT footprint?
  • The volume of personal information, such as health information, and often the cost of a breach is driven by the number of individuals affected.
  • What is the funding source?
  • Cost benefit –What are the costs associated with the analysis for the organization? It’s a balance question.

Considerations When Designing a Portfolio CRM Program

  • Information –The PE firm needs to make decisions on the amount and type of information it wishes to gather and analyze as part of its program.
  • Impact–How the information will be collected and the frequency it is collected will require different levels of engagement by the port co. and the PE firm. They need to decide how invasive it will be.
  • The Culture of the firm–Some firms are very hands-on, others are not. The culture plays a role in how you engage with portfolio companies and volume/nature of information collected.
  • Cost/benefit –There is a cost associated with a program. The cost can be in terms of the time of the port cos and the firm, as well as the cost of outside advisors. The cost needs to be balanced with the benefit of the program.
  • Funding source – Who pays? The firm, the portfolio company or is it split between them?

Information Collection Techniques

  • Document requests–policies and procedures, results of technical testing, results of assessments, cyber insurance policy information.
  • Questionnaires–include questions about safeguards in place, including administrative, technical, and physical controls.
  • Interviews–allow a deeper dive into the maturity of a cybersecurity and compliance program.
  • Scans or tests–non-invasive technical scans and tests provide clarity on how effective the safeguards in place are in reducing risk. These are things a hacker might see if looking at the organization. Often posted on the dark web. This is an indication there is a problem.

A Common Framework for Assessment

  • Controls-based–this approach usually utilizes a checklist of required or recommended security controls. For example, CIS Top 18.
  • Threat-based – this approach looks at the program from the lens of how well the organization is defended against the most common threats.
  • Vulnerability-based – these approaches often used automated techniques to understand what and how many vulnerabilities exist within the organization’s IT footprint.
  • Risk-based–these approaches look at threats, vulnerabilities, and controls to understand the likelihood and potential impact on the organization of a breach.

Health Industry Cybersecurity Practices targets common threats, such as:

  • Ransomware
  • Phishing
  • General hacking of technical infrastructure

The Holy Grail of Quantified Risk

While there are several statistical methods for quantifying the risk of a breach, it is still difficult to do so accurately. Nevertheless, it is helpful to quantify or at a minimum speak of risk impact in terms of actual business impact as opposed to qualitative measures like high, low, and critical, which can be open to interpretation by each listener.

One caveat: External scans can give false positives. There’s often “noise in the data,” so that may not be the best answer but is a data point for the organization to understand risk.

Watch the full webinar here.

Total
0
Shares
Related Posts