Is it time to go it alone with cyber insurance. Maybe not, but it is probably time to explore the question of viability of that approach.
So many in health, it isn't time to go it alone for cyber insurance. Great question, talking to some CISOs this week about that very thing. My name is bill Russell. I'm a former CIO for a 16 hospital system and creator of this week health, a set of channels dedicated to keeping health it staff current and engaged.
We want to thank our show sponsors who are investing in developing the next generation of health leaders. Gordie and dynamics, Quill health towel, site nuance, Canon medical, and current health. Check them out at this week. Health. Dot com slash today. All right. I was, , taking a look at some of the headlines and this one jumped out at me. In fact, I posted it.rom insurance coverage. So by:
All right. So Lloyd's of London limited or require it's insure groups globally to exclude catastrophic state backed hacks from standalone cyber insurance policies. Starting next year, Lloyds is a marketplace where roughly 75 syndicates of underwriters aggregate. , to, , congregate to provide insurance.
Coverage for businesses, organizations and individuals as of March 31st. When coverage begins or is renewed syndicates must exclude state back cyber attacks. From policies that protect against physical and digital damage caused by hacks. Says the underwriting director. So this is wall street journal article.
That got me to thinking and eventually got me to start chatting with some people. About this whole idea of cyber insurance and where it's heading. So cyber insurance is meant to mitigate risk. Right. So you're going to mitigate the risk of the damages associated with a cyber attack. Essentially, what Lloyd's is saying at this point is, , they are talking to experts and the experts are telling them.
That a majority of systems are, well, it could be health systems could be anybody. Actually, this is anybody who's asking for these policies. , organizations. Say this phrase and see if you. If this phrase resonates with you. If this is a phrase that you've heard said before, which is we can protect against any protect against any attack except a nation backed cyber attack. Right.
And attack from. A nation state of some kind.
I've heard that phrase said many times, like we don't have the resources, we don't have the wherewithal to protect against such things. Yeah. If that is the case, then you can't expect Lloyds to write those policies. For that, if we're not protecting against that, if we're not investing to protect against that.
Then, , Lloyds shouldn't be required to cover it. So I don't disagree with their business practice here. Of not covering. , something that we generally agree is not something we can protect against. All right. So I've heard it a lot now. , Again, you're probably not hearing that from. I don't know. You're you're not hearing that.
From chase. You're not hearing that from major banks and those kinds of things. They have to protect against nation state attacks, but in the healthcare world, we seem to exempt nation. Backed cyber attacks because they're just too big and too intense as they come at us. , and I think this, this is sort of shot across the bow to say,
, you can't exempt it. If you expect to have insurance around it. Right. If you're giving insurance for, , driving a car. And, , you don't. You know, take the proper training. You continually drive over the speed limit and get tickets and whatnot. Your coverage goes up and eventually they revoke your coverage because you're a bad risk. And if you're not going to invest to protect against these things, you're a bad risk for these insurance agents.
But the natural progression here is if they're not going to back cyber, , attacks from nation back. , entities. Where does it end? Right? How far does it go? The nation backed entities have unlimited resources and they can come at you. I think that's one of the reasons that this is signaled out, but quite frankly, the crime syndicates are pretty extensive. Have a fair amount of money behind them.
, and a very sophisticated attacks are coming from that direction. How long before it goes to that next step of saying it doesn't cover this type of attack or this type of attack? I, I quite frankly don't think it's that far away. And this is why I think the conversation around. Self-insuring around cyber is something we should start to consider.
And, you know, potentially. When you have this kind of challenge. Yeah, you need scale in order to protect against this, right? So you need scale in order to have the wherewithal to, , whether the attack to invest in making sure you don't. Succumb to the attack. And making sure you have the resources to.
Get to the other side of an attack. And so you can get to scale in any number of ways. One is you can acquire it. The second way you can do it is that you can aggregate. , like-minded or similar type organizations who are looking for the same kind of coverage. And you could essentially self cover in a, in an aggregated fashion around that.
All right. All that to say, I don't know about the business model around this. As much as what is it going to take for us to self-insure. Well, it's going to take us doing all the things that the. Cyber insurance companies want us to do. It's going to take investing in the right technologies. Understanding the, , the, the framework and the measures around good cyber security.
, being able to identify the gaps, fill those gaps, rack rapidly, identify intruders. , lock those intruders out. , you know, the one thing I love about CrowdStrike is they're they're 1 10 60. You know, identify the intruder within one minute, , and, , act on that within 10 minutes and remediate it.
Within within 60. So within one minute, you know that there within 10 minutes you have essentially quarantine them off to wherever they're operating and within 60 remediated. That's the kind of metrics we need to start. Considering as we are designing our cybersecurity policies, as we are building out our, our cyber practices, if we can get to that.
, even a nation state attack, we should be able to quarantine it off and, , make sure that it does limited damage in that case. Self-insuring. Is viable. Right. If you have minimal Danny damage to a certain aspect of your business. , That is one thing too to cover, but if you have, , you know, damaged, if the blast radius for the damage that's done in a cyber attack hits the entire organization, that's a different level of.
, costs to the organization and we saw that with the script's attack. And I think they estimated I haven't gone back to look at the numbers. I remember the numbers at the time were somewhere around $110 million. For a three plus week outage. That costs them, not only business and reputation, but also just the overall cost of that attack.
I think we should consider having very serious conversations of what it looks like to self-insure around cyber. , security and cyber attacks. We should, , consider what a framework would look like. In order to mitigate our risks around that. , either through a scale of the existing organization or, , aggregating, you know, similar systems or potentially.
, going together around cyber. Th th the reality is we do not compete with regard to cybersecurity. We don't want the hospital down the street or the competitor down the street in any way, shape or form to succumb to a cyber attack. , that's not how we want to compete and nor should we compete. And so there's an opportunity to here to partner in non.
Traditional let's call it non-traditional ways. And, , In defending and, , , and insuring against mitigating that risk. Against those attacks. So I throw that out there. , Just to say it's it's complex. It's the thought I, as you can hear with me, the thoughts are still forming in my head. I think it's conversations that we need to have and explore as an industry and conversations we need to have amongst organizations too.
, determine what models make sense, how we can work together. How we can shore up healthcare across this nation. So anyway, just some ramblings and some thoughts about a future direction, nothing definitive on this one. Just, I think it is the direction we should be considering. All right. That's all for today. If you know someone that might benefit from our channel, please forward them a note.
They can subscribe on our website this week, health.com or wherever you listen to podcasts, apple, Google, overcast, Spotify, Stitcher, you get the picture. We are everywhere. We want to thank our channel sponsors are investing in our mission to develop the next generation of health leaders. Gordian dynamics, Quill health house site nuance, Canon medical, and 📍 current health. Check them out at this week. Health.
Dot com slash today. Thanks for listening. That's all for now