New Case Highlights Deep Hole in Cyber Insurance

Uploaded on 2015-07-16 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

security_0814_page17_graphic1.jpg

IT security's level of involvement in determining adequacy of insurance coverage

Insurance policies covering data breach liability began appearing roughly ten years ago. We noted then a troublesome provision in some forms that seemed to exclude coverage for the insured’s failure to maintain data security – in other words, the very risk the insured was seeking to insure. We’ll call it the “Mistake Exclusion.”  One AIG form from 2006, for example, excluded coverage arising out of “your failure to take reasonable steps to use, design, maintain and upgrade your security.” A 2009 Darwin form excluded coverage for any claim arising out of  “any failure of an Insured to continuously implement the procedures and risk controls identified in the Application for this insurance.” But isn’t liability insurance supposed to do just that – protect against the insured’s mistakes, innocent or negligent? We hoped and expected that as the market for these policies matured, savvy brokers and risk managers would insist that these Mistake Exclusions be removed or substantially narrowed. But that has not happened.

We now have the first case we are aware of by an insurer seeking to enforce a Mistake Exclusion. In Columbia Casualty Company v. Cottage Health Systems, filed May 7, 2015 in the U.S. District Court in Los Angeles, Columbia seeks to enforce an exclusion barring coverage for a data breach claim arising out of any “failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing.” Columbia’s complaint arises out of a class action suit against Cottage alleging that, for a period of two months in 2013, 32,500 patient records were accessible via the Internet. Cottage had hired a third-party vendor to store Cottage’s records electronically and that vendor mistakenly set the File Transfer Protocol settings to allow public access. Columbia funded Cottage’s defense and settlement, but is suing to recover all of its payments from Cottage.

Imagine that you’re Cottage. You bought an insurance policy against data breach claims, only to find out that what you bought was a lawsuit by your insurer to establish that your mistake, even an innocent one, caused the data breach. That’s not insurance. That’s a knife in the back.

Columbia might prevail in this lawsuit. It relies on language that appears not just in an exclusion, but also in a “condition precedent” to coverage. On the other hand, a court could decide that the exclusion effectively renders any coverage a nullity and should be disregarded. Or the court could read an implied “unreasonable failure” standard into the exclusion to meet the insured’s expectations. Even then, however, the insured still risks a lawsuit from its own insurer in most cases. And that risk becomes a hammer in the hands of an insurer seeking to limit its payout. At bottom, Columbia really only seems to want to insure against a criminal hacker attack that beats the best security system money can buy. But if that’s so, it could have said that easily enough.

Columbia’s and other insurers’ Mistake Exclusions underscore just how immature the cyber insurance market still is. They reflect insurers’ lack of confidence in their ability to underwrite cyber risks, motivating them to try to shift that very risk back onto their insured. A similar dynamic took place in the nascent market for technology errors and omissions policies. Eventually, though, insurers realized that they could rely on their insureds’ own competitive need for quality control and claim mitigation procedures to control the risk of claims for defective products. The same is now becoming true regarding cyber security. Virtually every business recognizes that the monetary and reputational costs that result from failing to protect electronic information are too high not to adopt state-of-the-art security measures. Insurers should now be in a position to underwrite confidently without having to ask their insureds to re-insure them.

Fortunately, insureds have been successful in demanding that the Mistake Exclusion be removed from their policies where it appears. Brokers and risk managers therefore can and should take steps to avoid this trap for the unwary.
JD Supra: http://bit.ly/1CA8Xqp

 

« Bitcoins Berlin Launch for Cashless Greeks
NATO missile system hacked remotely by ‘foreign source’ »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Labris Networks

Labris Networks

Labris Networks specializes in DDoS mitigation, NG Firewall, Unified Threat Management, Centralized Management, Regulatory Compliances and SOC/CERT Services.

Nubo Software

Nubo Software

Nubo’s Virtual Mobile Infrastructure creates a virtual corporate device on your employee smartphones and tablets. Enable unlimited mobility without leaving any data at risk.

The ai Corporation

The ai Corporation

The ai Enterprise Fraud Solution is an on-prem or cloud-based self-service, machine learning fraud detection and prevention tool set.

ColorTokens

ColorTokens

ColorTokens Xtended ZeroTrust Platform protects from the inside out with unified visibility, micro-segmentation, zero-trust network access, cloud workload and endpoint protection.

PurpleSynapz

PurpleSynapz

PurpleSynapz provides hyper-realistic Cyber Security Training with a modern curriculum and Cyber Range.

Selectron Systems

Selectron Systems

Selectron offers system solutions for automation in rail vehicles and support in dealing with your railway cyber security challenges.

Axio Global

Axio Global

Axio is a leading cyber risk management SaaS company. Our Axio360 platform gives companies visibility to their cyber risk, and enables them to prioritize investments to protect their business.

CleanCloud by SEK

CleanCloud by SEK

CleanCloud by SEK is a CSPM product focused on public cloud data protection and security regulations, with over 400 compliance checks for the market's leading frameworks and regulations.

Skudo

Skudo

Skudo is dedicated to creating innovative best-in-class solutions that protect data exchange with the highest level of security and privacy.

Clear Skye

Clear Skye

Clear Skye, an Identity Access and Management (IAM) software company, reimagines enterprise identity access and risk management software to make a complicated problem easier to manage.

Diligent

Diligent

Diligent's SaaS GRC platform gives leaders a connected view of governance, risk, compliance and ESG across their organization.

Gridware

Gridware

Gridware is a specialised cybersecurity consultancy firm and an emerging global player in the cybersecurity intelligence and advisory field.

Data Priva

Data Priva

Data Priva is the UK's leading subscription-based data protection, governance, risk and and compliance service.

Google Cloud

Google Cloud

Accelerate your digital transformation. Whether your business is early in its journey or well on its way to digital transformation, Google Cloud can help solve your toughest challenges.

COPA-DATA

COPA-DATA

COPA-DATA is the only independent software manufacturer to combine in-depth experience in automation with new possibilities of digital transformation – reliable, future-proof and operating worldwide.

Delta Partners

Delta Partners

Delta Partners is a venture capital firm investing in Ireland and the United Kingdom with a strong focus on early stage technology companies.