Kuwait’s Ministry of Health cyber-attack: The critical role of prevention, incident response and cyber insurance in managing data breaches

The increase of cyber-attacks requires organisations – both public and private – continually to assess and strengthen their cyber security measures. A recent cyber-attack against Kuwait’s Ministry of Health (“MOH”) underscores this necessity. Although the MOH has not provided specific details, the investigations suggest that unauthorised third parties accessed its systems by exploiting existing vulnerabilities. As a result, the commonly used Sachel healthcare application, which allows thousands of Kuwaitis to access health services, book appointments, and manage medical records, and on which significant personal data are stored, was targeted, causing widespread disruption in hospitals.

The MOH responded promptly and took immediate action to minimise the impact of the attack by implementing advanced security measures and collaborating with technical teams. When assembling technical teams, it is crucial to include legal experts, such as lawyers, to guide you through your internal incident response plan (“IRP”) and ensure compliance with legal and regulatory obligations, whilst mitigating legal and financial risks. An IRP is a predefined policy that outlines specific steps that an organisation must follow when a cyber-attack occurs, enabling teams to act immediately and decisively. Some jurisdictions have strict regulations about breach reporting and response, making timely and accurate compliance essential to avoid penalties. Legal experts play a key role in determining breach reporting obligations under relevant legislation, preparing and submitting notifications to the regulator and affected data subjects, and coordinating with regulatory authorities.

At the same time, it is important to notify your cyber insurers as soon as a breach is identified, as delays in notification may impact an organisation’s ability to claim coverage for breach-related costs and losses. Compliance with notification requirements is often a condition for coverage under a policy, and failure to promptly notify can result in denied claims or limited coverage, increasing financial and reputational risks for an organisation.

Comprehensive cyber insurance cover for organisations is no longer a luxury but a necessity to mitigate risks. Subject to the policy wording, policies cover key aspects including business interruption and legal and regulatory expenses. Policies vary in coverage, making it essential for organisations to tailor their policies to fit their specific cybersecurity needs and risk exposure. To achieve this, organisations must collaborate with their risk management teams to strengthen their position when negotiating favourable policy terms. During underwriting, insurers often evaluate the current state of an organisation’s security systems in place, including configurations, firewalls, and multifactor authentication, to determine the terms of coverage. Therefore, organisations must demonstrate strong cybersecurity practices by implementing a robust strategy, including regular internal audits and assessments to identify and reduce threats. Weaknesses in security systems may result in higher premiums or exclusions from coverage, increasing the likelihood of denied claims.

The cyber-attack on the MOH is a stark reminder that no organisation is immune from cyber threats. Adopting a comprehensive approach that integrates preventative measures, incident response and cyber insurance enhances an organisation’s ability to handle breaches effectively. This approach minimises the risk of a breach, ensures compliance with legal and regulatory requirements through legal guidance, and offers financial protection using cyber insurance.

This also has relevance to directors and officers of organisations. A company’s vulnerability to a cyber attack and the suitability of the cyber insurance cover in place ultimately places the directors under the spotlight as it is invariably the role of the board to arrange cyber cover. Therefore, if the cyber policy does not provide adequate cover, there is a risk that the directors who sought the policy might be susceptible to claims by shareholders or other third parties. The shareholders might, for example, claim for a drop in the share price which could follow after a cyber incident occurs and cite the board’s approach to procuring insurance as a reason.