News from the Cyberinsurance Market: Healthcare entities are finding that cybersecurity insurance is getting harder to find. Insurers are leaving the market, and prices are going up. Having cyberinsurance has always been a good call, from the time the insurance first hit the market, because (i) the risk is so hard to quantify, (ii) a really bad incident will undoubtedly bankrupt the company, and (iii) the prices have been so reasonable. And if you are a business associate, (i) many covered entities require cyberinsurance, and (ii) many business associates use their cyberinsurance to support indemnification and liability caps in their business associate agreements.
Early in the cyberinsurance market, many insurers jumped in. The risk, while hard to quantify in size of claims and hard to tell which insureds were most likely to get hit, were still not great -- most cyber incidents result in costs of remediation, notification, and vague reputational damage, but don't end up with large settlements to customers or regulatory fines. Some of this reshuffling of the market is just insurers figuring out that either they're not great at running the business, don't have enough business in the portfolio to make it worthwhile, or are blanching at the ever-increasing number of breaches and increasing knowledge of and reliance by insured in taking advantage of the insurer when any event occurs that they would otherwise have taken on themselves.