Healthcare risk managers may mistakenly assume that a commercial insurance policy will cover the damage related from cyberattacks, but that is often not the case, says Chris Frederick, partner with the tax and accounting firm Bennett Thrasher in Atlanta.

Even if the policy is written in such a way that it could cover cyberdamages, it is common for policies to require evidence of physical damage before any coverage kicks in — and there usually is none in a cyberattack, he says.

Healthcare organizations also may run into trouble with the cyberinsurance provider determining that the cyberattack occurred due to insufficient security.

“The insurance company will look at whether the network infrastructure was secure enough. They might say basically, ‘Yes, there was a data breach, but you didn’t take the necessary steps to prevent it,’” Frederick says.

Frederick also has worked with a company that experienced a data breach and found that the insurer did not want to cover satellite locations, including employee homes, because those locations were not named in the policy.

The limits on coverage also are important. For instance, if a policy covers the IT work necessary to recover from an attack, does that mean the insurer will reimburse you for the time your own IT employees spend on it? Or only for outside IT consultants, because your employees would have been paid for their work anyway? Frederick has seen companies surprised and frustrated when the insurer refused to compensate them for the work performed in-house.

“A key component is to know exactly what is covered and what is not,” Frederick says. “Even if it doesn’t cover all that you wish it did, possibly because you can’t afford that level of coverage, you are better off knowing that up front and not after you have been attacked.”


• Chris Frederick, Partner, Bennett Thrasher, Atlanta. Phone: (678) 218-1403. Email: