The reality is that cyber attacks are a constant threat for companies, not some rare and infrequent occurrence that most insurance policies are developed to deal with. Brian Finch, a partner at Pillsbury Winthrop Shaw Pittman LLP, recently proposed using an HMO model to deal with cybersecurity.
According to Finch, “cyberattacks are a constant threat, much more akin to medical claims than property or casualty claims. We know they will occur on a regular basis, and so insurers need to establish an infrastructure that supports constant care over a lifetime.” This is why insurers should view cyber insurance through a health care model lens rather than through a liability or casualty insurance lens.
Finch says that under the model, insurers would strive to promote the “right” types of claims, ones that encourage healthy behavior. However, much like a person’s health, sickness is bound to find a way in and a cyber HMO would “support interventional care that prevents minor scratches from developing into a serious infection.”
Under Finch’s model, a company would gain access to a cyber HMO by paying monthly premiums along with associated co-pays, deductibles, and other expenses much like in a health insurance plan. The plan would give the insured access to a huge network of support services such as cybersecurity vendors and IT professionals at a discounted rate. In the event a problem occurred, they would have low cost or potentially free access to basic “cyber hygiene,” like a diagnostic examination of information technology systems, perimeter defense systems, and other basic defense systems (much like a yearly physical).
More advanced defenses would be available at a higher co-pay. An insured could even go “out of network,” but much like current health plans they would have to cover the majority of the costs associated with doing so. Finch notes a number of companies are already taking small steps towards the idea by monitoring a company’s cyber health, while others are developing products that can continuously monitor a company’s network and systems.
Finch notes that the cyber HMO plan has certain flaws (particularly since health care HMOs have significant flaws), but believes that it addresses the issues at hand better than current strategies to insure against cyber threats.