Specialty Podcast: Cyber Trends and Threats in the Managed Care Industry

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

CJ Dietzman (00:09):
Welcome everyone to another edition of the Alliant Specialty Podcast. CJ Dietzman here from Alliant Cyber, Senior Vice President, representing our cyber consulting and risk advisory services. Really thrilled to be with you today. Thanks for joining everyone, and I am so excited. We've got Tara Albin here, Senior Vice President, recently joined the Alliant team. Tara just has an incredible career and background in cyber risk, broader brokerage and risk management services. She spent a lot of time in managed care and the construction realm. Tremendous deep industry expertise. Tara, we are so thrilled to have you now on board as part of the Alliant Cyber team. Welcome!

Tara Albin (00:55):
Thanks so much, CJ, for the warm welcome. I really appreciate it.

CJ Dietzman (00:58):
Well, thank you. Thank you, Tara. Let's get right into this, Tara, because we've got a couple key things that we want to cover today and really hear your perspective, your unique and candid perspective on what's going on in the managed care industry, specifically in terms of cyber risk and threats, how that impacts the insurance market and how that might impact managed care risk managers. So, first things first, Tara, what are some trends and themes that you are seeing with your clients and in the industry right now?

Tara Albin (01:31):
Yes, so when it comes to managed care, it's a mix of that healthcare industry as well as financial institution industry being a health insurer. What I've been seeing in recent years is a lot of merger and acquisition activity, whether it's merging of plans, especially when it comes to, they're merging due to expanding services, resources and technology to drive efficiencies. The other area would be third party vendors. A lot of the cyber events we're seeing are coming from those third-party vendors. I think the change healthcare event was a good example of this. Many times we see that the parent company could be buttoned up tight, the best cyber risk tools in place. But when it comes to engaging with these third-party vendors, you just have to make sure that they are an extension of the organization. They're doing all the right things from a security control standpoint, but you really can only control things to a certain point. But back to the mergers and acquisitions piece, M&A activity presents a whole slew of cyber risks. It’s the increase in protected health information. When two planes merge together, how is that data going to be protected? There’s the added risk of data security and incorporating the acquired entity into the parents' security standards. While the parent company may have the IT governance over the acquired company, how are they ensuring that that entity is doing what they say they are doing when it comes to cybersecurity controls and really what the parent company is expecting of that acquired entity. And then to touch on that third party vendor exposure, I mentioned the change healthcare event.

I had every single one of my healthcare and managed care clients put their carriers on notice for that event, and granted it did run from the lowest risk exposure. Some said we just unplugged, it won't be an issue for us, we don't really rely on them too much, we're going to notify the carrier out of an abundance of caution. Up to, this is going to severely impact our business operations, we are definitely going to exceed our retention and possibly our first layer of coverage, if not more. So it really, the change healthcare event, really affected the healthcare and managed care space. We are seeing a lot of, I'd mentioned a lot of these cyber events come from the vendor side. One of the issues that came from the change healthcare event was the contracts. Some of those contracts weren't worded particularly well. I would always strongly recommend when it's a critical vendor to review those contracts each year. Make sure that you're reviewing the language and making sure that if that vendor was severely impacted with a cyber event, you need to know how you are going to get through and the liabilities involved here. Another area when you're contracting with a third-party vendor is sharing of data. How much data will they have access to if they were to have a cyber attack? What does that mean for your organization when it comes to PHI data being released? The other thing to keep in mind too is when that contract comes to an end, what's going to happen to that data? Making sure you have that data return language in the contract. There were just a couple of areas that I've been seeing increased activity in the managed care space.

CJ Dietzman (05:30):
Tara, wow, that was fantastic. You made some great points there and actually gave me pause. I want to ask you a follow up question if I can. In the context of change healthcare and the threat activity and the risks that you brought up, what are some of the key controls, or maybe on the flip side of that, some soft spots that you're seeing in the market with your clients where they should really be focused right now?

Tara Albin (05:56):
Well, it goes without saying, right? Multifactor authentication. We’ve heard that thrown around and that has now become, well for the last several years, that is a basic control, and that has to be implemented throughout the organization. Email access, remote access, accessing any kind of applications, backups, you have to have MFA throughout the organization. Listen, I'm not an IT person, but my understanding is it's not extremely expensive to implement, and it is pretty basic. It can be somewhat disruptive, I believe, as with any IT control. But it still comes down to the testing. At the end of the day, it is a critical prevention, but things like endpoints, EDR solutions, email filtering, the list goes on and on. But it's really building those defenses up the organization, making sure that those bad guys are not getting in. At the end of the day, I would say one of the most critical things is training your employees. Employees still are an organization's number one risk, and it could be a variety of reasons. It could be we are all really busy. We're all doing a lot more with a lot less and remote working too. Sometimes you don't have the option of being across the desk from another coworker to say, "Hey, did you see that weird email come in?" You're isolated and on your own and in the zone if you're remotely working, but I cannot stress that enough. Listen, you can train your employees over and over again. You are still unfortunately going to have those repeat clickers as we call them that just can't help themselves but to click on links. But again, employees are critical to protecting the company from cyber events.

CJ Dietzman (07:59):
Fantastic points. You covered a lot of ground there. Let me ask you this, where you've seen incidents and losses and claims for that matter with your clients recently, can you talk to us about what the nature of some of those incidents were? Are you still seeing a high population, a high frequency of ransomware? Are you seeing more targeted breach activity, leveraging other vectors? Can you talk to us about the type of cyber incidents that are causing claims and loss in the managed care realm?

Tara Albin (08:31):
Managed care is not always any different from any other organization. Ransomware is everywhere. It's large entities, midsize entities, small businesses, any industry class. Health systems still are heavily targeted. The number one target. They've got a lot of information in PHI, as does managed care. So ransomware, while I'm not on the claims side, I can speak to what my clients are reporting, but just in speaking to the claims teams, other resources in the industry, ransomware seems to have slowed down a little. That does not mean let those guards down by any means. I think our insureds, our clients have become better risks. They are during the hard market, they had no choice but to listen to what the cyber underwriting community was pushing out as far as implementing controls, MFA, EDR solutions, PAM tools, anything through email filtering, anything they can do to really secure and button up the company and put up their defenses against these threat actors. But as far as ransomware, it's slowed, but has not gone away by any means. Another area we see affecting many companies, especially those that have higher transactions as far as payment transfers, are in social engineering, wire transfers, invoice manipulation, too. These threat actors really find any way they can to make money and steal from companies that a lot of times, going back to the employee training, taken advantage of an employee just having a bad day, not paying attention. Any way they can get in and make money, they're going to do it. This being an election year doesn't help, right? We have countries that really despise the United States and sympathize with our enemies. They find ways to target companies for any means, but particularly when it comes to healthcare related companies, managed care health systems that have that very valuable PHI information.

CJ Dietzman (10:55):
Thank you so much for that, Tara. I have another question for you. In the context of all of this cyber threat activity, the claims, the losses, and then of course on a positive note, some of the things that our clients are doing, particularly in the managed care space. What's the current state of the cyber insurance market? Just Tara's opinion, based on what you're seeing as you engage with countless clients, Tara, in this realm, what are some of the themes and trends? What's the state of the cyber market? Go ahead.

Tara Albin (11:28):
Thank goodness we are not in a hard market anymore. I would say myself and every cyber underwriter and broker out there, those two and a half years of that hard cyber market were pretty rough. They were some very dark times, but we emerged out of that hard market much quicker than I think any of us anticipated. We're now throughout 2024, we've definitely seen those rates coming down, premiums coming down, sometimes lower retentions even, more coverage. I found that carriers are much more open to special language or negotiating lower retention. There's a lot more flexibility I would say on the carrier side, and carriers have hefty growth goals this year. They need to grow their books. Managed care in particular in the hard market, many carriers would shine away from it. It can be a risky industry class. However, in my opinion, they have some of the best controls out of many industries that I have experienced. I think there's still a little bit of heartburn from particularly one of the larger managed care breaches many years ago, but I found that some are willing to entertain it and at least attend the underwriting calls, listen to the controls in place. Many are very good risks.

They are very good security controls, and in my opinion are good risks to get on right now. Managed care in particular may not be experiencing some of the deep decreases, lower retentions that we see in other industry classes. Healthcare is the same also. I would say retentions are holding steady. Typically managed care we see have higher retentions than most, but capacity is back. I have seen some carriers that are very comfortable in the managed care space, willing to deploy more capacity. During the hard market, we saw so many carriers reducing capacity from 10 million in limits to 5 million in limits. There are carriers in the managed care space that are willing to deploy 15, 20, even 25 million in capacity. It may be all in one layer, it may be broken up, a lower layer and then a higher excess layer. But we are definitely in a much better place in the cyber market than we were. I'd mentioned earlier I felt that we swung very quickly to a softer market. My prediction, maybe in the next six to 12 months, I do think that we are going to see a little bit of a hardening in the market. I hope I haven't cursed us, but I don't want to go back to the hard market that we saw a couple of years ago. But I do think probably a little hardening in the market. Healthcare has been so impacted with change healthcare and the ascension cyber event that I know some carriers that frequently write cyber in those industry classes are taking a pause, reassessing their books, making sure that they've not got too much capacity out there, or too lower retentions or they're getting an adequate rate. We won't see a broad brush hardening in the market, but there's definitely going to be, I think hardening in certain industry classes and with healthcare, that could certainly impact the managed care entities also.

CJ Dietzman (15:07):
Thank you so much for that, Tara. Wow. Listen, I'm so glad that you're here to help our clients, particularly in the managed care space and the construction space, navigate these challenges. Fascinating times. Now I'm going to put another question to you pivoting from the cyber insurance market discussion. There's still some perception out there, candidly that I've observed where, hey, once we get our cyber insurance in place, we're good. Now that we've gotten through renewals, we're fine. I want to hear your thoughts on the importance of moving beyond that into true cyber incident response readiness, including the importance of incident response planning. You and I have chatted about this before. I'd love to hear some of your candid thoughts that I think some of our clients could benefit from.

Tara Albin (15:53):
Yes, having a cyber policy is only part of the risk mitigation. There's still a lot that goes into protecting companies, and as you mentioned, the incident response plans are critical. You can't just have a plan on paper and it rarely gets practiced and when it does, nobody really knows their role. I've had clients that have requested I sit in on the sidelines of their incident response plans they're testing, and I just sit back there and observe. There's some that have been, just okay, I'm not sure those in the room learned much from it. There are others that they really get in the weeds. At the end of the tabletop exercise, I feel everybody's walked away knowing their role. If an event was to occur, knowing what to do, who to call. Again, if it's not tested, if it's not reviewed on a regular basis, it's as valuable as the paper it's written on. Another key factor when it comes to the incident response plan, have a paper copy handy somewhere tucked away. Everybody should have a copy of it. I have experienced clients that have gone through a cyber attack. The network is down and the incident response plan was stored electronically. So networks down, you can't access the incident response plan. There are things like that. To constantly talk about the incident response plan and make sure that it's testing, you're reviewing it, and it's just those little things that often you maybe just didn't think about. Planning for the event is always a good idea.

CJ Dietzman (17:44):
Tara, thank you so much. That was fantastic, and I love how you emphasize the importance of cyber incident response planning and then the testing, including the tabletops. I know I'm super excited to have you joining us as Alliant delivers cyber incident tabletops with many of our clients. You're going to add so much to those sessions. So excited. Tara, thank you for your time today, number one. Number two, welcome to the Alliant Cyber team. We are all so excited to have you, but perhaps most importantly, how do our clients get in touch with you, Tara? What's the best way?

Tara Albin (18:16):
Thanks, CJ. Yes, let me just stress, I am thrilled to be a part of the Alliant Cyber team. If you want to get in touch with me about anything we've discussed today or anything cyber related, you can reach me at Tara.Albin@alliant.com, and I'm so looking forward to hearing from all of you.

CJ Dietzman (18:43):
Wonderful. Folks, that about wraps it up from Tara and I on this episode of the Alliant Specialty Podcast. We are so grateful that you folks were able to join today. Everybody out there please be well, and we will see you on the next one. Thank you.