Understanding Cybersecurity and Sutton’s Law: Where the Money Is

Over the past year, when talking about cybersecurity with any organizational leader or industry colleagues, there is one topic that inevitably comes up: the cost and (in some instances) relative availability of cybersecurity insurance.

Coverage is in increasing demand – and is getting harder to come by.

One doesn’t have to look far to explain this phenomenon. In recent years, there has been an explosion in ransomware and other cybersecurity attacks, with the health care industry as a primary target.

There is value in asking why the health care industry has become such a target in recent years.

Again, the answer to this is (partly) self-evident, and encapsulated in Sutton’s Law. When asked why he robbed banks, Willie Sutton logically responded “Because that is where the money is.” The same logic applies to the targeting of health care providers today. Clinical Practices and hospitals are repositories of valuable information, as well as information and infrastructure that is critical to continued operations. Ransomware-as-a-service (where paying off to de-encrypt and access information systems is less expensive and catastrophic to an organization than the loss of those systems) is a lucrative business. But there is another element driving this trend targeting our healthcare infrastructure – and that is one of opportunity. There is a reason Willie Sutton targeted retail banks and jewelry stores – and not, say, Fort Knox. In the risk-to-benefit ratio, the First Mutual looks a lot more appealing than a heavily defended, on-alert military base.

As an industry, health care has lagged behind other counterparts, such as banking and finance. There are many understandable (and justifiable) reasons for this. But it is also just an uncomfortable truth: comparatively speaking, hospitals and even more sophisticated health systems present a “soft underbelly” when it comes to cybersecurity defenses, and a much more appealing target than, say, banking institutions.

Unlike banking institutions and financing, which were developed with much less complex and diverse stakeholder requirements, security has often come as an overlay for health operations, essentially bolted on as an afterthought. Further exasperating this, is a lack of man-power and the resources needed to develop, implement, and monitor the appropriate policies and procedures. This isn’t just applicable to provider practices, but even hospitals and health systems tend to lack the degree of investment in cybersecurity operations than their counterparts in other industries.

Again, there are many reasons for this. But not least of the confounding factors is the lack of forward-looking, consistent regulations and enforcement by regulatory agencies. Even where there is a defined regulatory framework (such as the case with HIPAA) the regulatory approach remains reactionary. Meaning that scrutiny (and consequences) are only triggered where there is a significant breach. This reactive approach – common in government and regulators – lends itself to an ecosystem where security is an add-on, or secondary consideration. When it comes to government action, clear, consistent, and immediate consequences are of primary importance. Administrative agencies are hampered further by overlapping areas of authority, Congressional inaction, and comparatively strained funding and other resources. There are plenty of good reasons for why we find ourselves with a “problem of the digital commons” when it comes to the security of our digital infrastructure, the question now is what we can will do about it.

Understood thusly, the rise in cybersecurity premiums is, at least partly a consequence of a common underfunding of providers’ security infrastructure in recent years. It is also an example of moral hazard, where stakeholders have relied upon the (sometimes elusive, and never comprehensive) security of insurance as a reactive protection of their organization’s resources. Sometimes at the expense of a more robust, coherent, and consistent proactive defense.

But there is another reason that cybersecurity is so expensive now – and that is a data problem. One of the challenges (for both insurers and the insured) is the lack of reliable data on cybersecurity incidents. There is no official central “clearinghouse” aggregating this information on a national (or multinational level), and requirements to report to government entitles are fragmented and incomplete; there are many reasons, after all, a business would not wish to highlight a security breach. But that gap in information has a cost to the wider ecosystem (including, at times, direct and individual costs).

The absence of reliable data on incidence and severity of attacks means that insurance companies have increasing difficulty calculating the risk associated with issuing any given policy. That actuarial gap creates uncertainty – and insurance companies do not like being blind to “knowable unknowns.” So that additional risk is built into the premiums.

All this is to say that, yes, securing cybersecurity insurance has gotten (a lot) more expensive. The application process more detailed, and organizations must attest to more minimum-security practices and applications than was the case even two or three years ago. We tend, as people, not to value or prioritize something until we are able to quantify it. So, while the skyrocketing premiums and instability presents real concerns and hardships for strained bottom lines – perhaps this can catalyze intentional focus on effective defense and our shared responsibility for ensuring the security and availability of our critical information systems.

I will leave you with a few takeaways:

• Yes – you almost certainly need cybersecurity insurance (it is not a ‘luxury’) but insurance is no replacement for proactive defense and the institution of policies, procedures, and resources that will enable your organization to continue to operate in the event of an attack or ransom.
• But remember that insurance is never going to be adequate to make anyone “whole” in the event of a cyberattack or data breach. This is because not all of the harms are (directly) monetary – the biggest risk to any organization is its inability to continue operations. “Business Continuity” has a whole new urgency when applied to the health care sector, when “business as usual” involves life and death scenarios.
• Your insurance coverage is only as good as the accuracy of the representations you make on your application. If you attest to using Multi-Factor Authentication, or to an actual policy related to data stratification and access (etc., etc.) you had better apply those same practices consistently. Attesting to policies, procedures, and defenses that are not actually in practice (or restricted to the written word in a never implemented policy) – is a basis for the insurance company to deny coverage.
• Finally, an ounce of prevention is worth a pound of cure. Recognize that the greatest risks almost always (by which I mean always) are traced back to a human agent and that human’s action. Meaningful, practical, and engaging training of staff on cybersecurity practices and digital hygiene can go a long way.