Creating a Recovery Plan for a Cyber-Attack | News | MMA

Creating a Recovery Plan for a Cyber-Attack

An article from McKnight's Long-Term Care News


SVP, Management Liability
+1 763 548 8599
August 21, 2019

Note: This article was originally published by McKnight's Long-Term Care News

Long-term care facilities more than likely have contingency plans for dealing with natural disasters, such as flooding or an earthquake. They are generally well prepared to deal with the results of a fire or even an active shooting incident. These are all occurrences that any organization—nursing homes, assisted living facilities, continuum of care communities, or any other housing for aging or disabled individuals — should have a plan for managing. 

While your facility might be ready for a natural disaster, are you prepared for the aftermath of a cyber-attack? According to a 2018 Marsh report, most companies are not prepared to respond effectively. Of the organizations surveyed, fully 60% believed a cyber-attack was one of the top five risks they faced — if not the No. 1 risk — yet only 18% had a cyber incident response plan. 

Clearly, long-term care facilities are not immune to the attacks of cyber criminals. According to the World Economic Forum’s Global Risk study, cyber-attacks have been in the top five “most likely risks” for the past two years. If your facility doesn’t have a plan, you leave yourself vulnerable to an attack and the subsequent consequences.

You are responsible for a wealth of medical and personal information, including Social Security numbers, Medicare and Medicaid accounts, and more. That means you need to be prepared to keep your electronic and non-electronic data as secure as possible, and it means you need to have a plan in place to deal with the results of what is, unfortunately, a virtually inevitable attack.

General liability insurance doesn’t cover cyber issues
Cyber attacks are not generally protected by your general liability coverage. You’ll need a specific cyber policy to receive insurance protection (more on this later), but first you need a plan. Cyber disaster recovery is about more than recovering from financial loss — it also requires you to know how to assess risk and mitigate damage pre-disaster; reinforce or change your IT structure to better protect patient information; develop a clear internal communications process; and rely on public relations to help you better manage your story and, ultimately, your facility’s reputation.

What makes an effective cyber recovery plan?
A cyber recovery plan needs to be designed and put in place before you experience a cyber attack. It also needs to be practiced multiple times to ensure that every key person in your organization knows exactly what to do and when as soon as a breach is discovered. 

Here are a few planning ideas that have been proven to work for a wide variety of organizations:

• Appoint someone to act as the leader. This person should understand every part of the response plan, and be able to put the plan into motion without hesitation. They will oversee your response team. But they should also have a back up who is completely familiar with the plan.

• Your response team should consist of both internal and external experts, who are able to work well together and around-the-clock to restore and maintain facility functions during and after a cyber-attack. The team should have:

  • Cyber-incident attorneys
  • Senior leadership
  • Forensic IT specialists
  • IT security experts
  • Public relations

There are five phases to any recovery plan, and each member of the response team needs to understand his or her role:

1. Identify the problem quickly. 
External services and third-party sources specialize in this kind of work and can find the problem efficiently. Determining what happened, to whom, and for how long is key to managing an incident.

2. Contain the attack. 
Prevent it from spreading. In some cases, the faster the incident is identified, the less damage it can do.

3. Investigate the crime. 
Understanding how the incident occurred — and then fixing the gap — is essential to allowing your organization to effectively move forward. It also helps you defend your organization against allegations of negligence.

4. Communicate and carry on. 
A good legal team will determine if your organization has an obligation or an ethical need to notify employees, customers or possibly government agencies or regulators of the breach. Even though computers, networks and other services may be down, employees should maintain regular operation as much as possible.

5. Prevent future attacks.
Change company practices in order to prevent a future breach. This could require employees to reset passwords more often and might require the company’s IT services to implement more stringent security measures.

Your insurance broker should be able to provide you with risk management and assessment capabilities to help you decide what you need to do and how your plan should be formed.

What kind of insurance do you need?
Cyber insurance can’t prevent your organization from being the target of cyber attacks, but it can help keep your business on stable financial footing when a significant security event occurs. Cyber insurance is still evolving, but here are the basics that quality policies will provide coverage for:

  • Forensics investigation: This is how you determine what happened, how to repair the damage and prevent the same type of breach in the future. It can often involve a third-party security firm as well as coordinating with law enforcement and the FBI.
  • Business Interruption: A cyber insurance policy covers monetary losses experienced by business interruption, data loss recovery and costs involved in managing a crisis, which may involve repairing reputation damage.
  • Privacy and notification: Data breach notifications to customers and other affected parties are often mandated by law, and this allows you to provide credit monitoring for customers whose information was or may have been breached.
  • Lawsuits and extortion: Covers legal expenses brought on by the release of confidential information and intellectual property as well as, potentially, the cost of legal settlements and regulatory fines, where permitted by law. This can also include the costs of cyber extortion, such as ransomware.
  • Reputational harm:  Covers potential income loss to your facility due to the reputational harm suffered as a result of a cyber incident.  

Here are a few key questions to ask when you’re evaluating coverage:

  • What are the limits available in the many coverage parts?
  • What is the aggregate policy limit available?
  • What are the deductibles?
  • How do the coverage and limits apply to both first and third party expenses that will occur? 
  • Does the policy cover any attack that affects your organization or does it also cover attacks on key business partners?
  • Does the policy cover social engineering fraud? 
  • Does the policy extend to certain bodily injury or property damage claims that result from cyber incidents?

Talk with an expert
The last thing you need is to discover you have holes in your plan – after you’ve had a devastating cyber-attack. There are multiple consultants specializing in this growing area of risk. Finding an insurance broker that specializes in this coverage — as well as the long-term care industry — is a good start. They will be able to draw on their network of professionals, access to insurance carriers specializing in cyber-risks to the long-term care industry, accumulated experience and access to risk mitigation resources that will ensure you have the necessary protections in place.

Dan Hanson is a senior vice president with Marsh & McLennan Agency, where he specializes in helping employers manage, mitigate and insure their cyber-related risks. He can be reached at