Does the NHS Buy Cover for Cyber-Attacks?

Much has been written in the last few weeks following the Wannacry attack that had such a dramatic impact on the NHS.  A total of 47 Trusts nationwide and 13 NHS organisations in Scotland were reported as being affected.  This isn’t a new scenario, Julian Ashworth (shadow health secretary) cited a Freedom of Information (FOI) request that showed 79 English Trusts (33%) had suffered ransomware attacks since June 2015.

While it’s clear that the global cyber-attack on 15 May caused significant disruption to services and considerable inconvenience to staff and patients, it is more difficult to try and put some numbers around the actual costs incurred by Trusts from an insurance and risk perspective.

As leading advisers on insurance and risk to the NHS, we have been asked what insurance and risk solutions they should be thinking about. The starting position has to be looked at by the NHS Litigation Authority risk pool (NHSLA) which currently procures cover for non-clinical under the Liabilities to Third Parties Scheme (LTPS) and the Property Expenses Scheme (PES), known collectively as the Risk Pooling Schemes for Trusts (RPST).  Following a high-level review of the NHSLA cover:

• There is only cover for claims made by third parties against the NHS for breach of personal data. This is GBP50,000 per original cause. There is no mention of own costs, for example,  ransomware payments.
• Within the computer section there is no specific mention of cover for cyber or ransomware incidents. There may be a small amount of cover under a computer section.

1. Damage to computer equipment, including loss, destruction or damage from any accidental or malicious cause.
2. Computer systems records, but only for the value of the materials, together with the cost of clerical labour and computer time expended in reproducing such records for an amount not exceeding GBP50,000 (not for the value to the member of the information contained therein).

We also looked at the sections covering directors and officers (D&O) liability and fidelity guarantee (crime). There is no affirmative cover/extension in either of these two areas for the events of the past weeks.

There is, however, no exclusion language in the D&O contract. This means that, subject to terms and conditions, the policy may respond to claims against members of the Board of Members made during the period of insurance and alleging a failure or negligence in their fiduciary duties (including the duty to exercise reasonable care, skill, and diligence).

What is also evident from our work with NHS Foundation Trusts, in particular, is that the majority have cyber risk highly ranked on their strategic risk registers; but, conversely, most have not purchased cyber insurance from the commercial market. Why is this?

Going back to the start of the article, we believe the biggest challenge is that these organisations have not yet been able to identify loss scenarios and quantify financial exposures for their Trusts. If you can’t do this, then making informed and auditable decisions about how to fund this type of risk become very difficult.

We help trusts deal with this from an assurance-based model that is not predicated on the “blind” procurement of a commercial insurance policy. 

Please contact me if you would like more information