Will Your Cyber Insurance Respond When You Need It Most?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/will-your-cyber-insurance-respond-when-80471/

On May 7, Columbia Casualty Company, an insurance company, filed one of the
first lawsuits by an insurer seeking to deny coverage for a privacy class
action under a cyber insurance policy.  Why is this significant?  As the
number of data breach events and costs have soared, specialty cyber
insurance policies have become both ubiquitous and necessary.  And,
generally, insurance companies have responded quickly to data breach claims
under cyber insurance and other specialty risk policies (while aggressively
fighting coverage of breach-related claims brought under general liability
policies).  Common wisdom has been that as the cyber insurance market
plateaus and claims become more prevalent and costly, insurers will begin
to resist coverage and push back more aggressively on claims.  The Columbia
Casualty Company lawsuit may be the mark of that changing tide.

According to the Columbia Casualty complaint, Cottage Health System or its
third-party vendor allowed access to 32,500 medical records and the insurer
paid $4.125 million to settle the class action lawsuit that followed.  The
insurer is now suing to recoup the settlement funds and defense costs on
the basis of a coverage exclusion requiring that the insured meet certain
“minimum” cybersecurity requirements.  The insurance policy required that
the insured institute “minimum required practices” and eliminated coverage
for “any failure” of the insured to “continuously implement” such
procedures.  The insurance company claims that the policyholder failed to
follow the security risk controls set out in its insurance application and
failed to provide complete and accurate information in the application
about the practices of one of its third-party vendors.

Such “minimum required” practice exclusions can be highly problematic for
an insured because they place the insured at the mercy of second-guessing
by the insurance company after a security breach has occurred.  At
precisely the moment when an insurer should be standing behind its insured,
such exclusions allow the insurer to turn the focus to the insured’s
conduct rather than the person who attacked its system.

How can a client reduce the risk that its insurer will try to pull coverage
at the most critical time?

First, it is critical for insureds to eliminate “minimum requirement” and
similar exclusions from their cyber policies.  In our experience, insurers
will typically strike them, but you have to know what to look for and ask
before the policy is issued.  Cyber insurance policies do not follow
standard forms and can be complicated.  They are also evolving very
quickly.  Accordingly, clients who are buying or renewing these policies
should seek out advisors who have specific and deep experience with cyber
insurance.

Second, insureds should conduct reasonable due diligence and take
appropriate care before making the security representations in their
applications for cyber insurance.  Whether relying on a specific “minimum
requirements” exclusion or more generally pointing to alleged
misrepresentations in applications, insurers are likely to scrutinize those
representations with ever greater vigilance as the number and costs of
cyber claims increases.

We recommend that policyholders engage us early in the process of procuring
cyber insurance to assist in identifying and eliminating these coverage
exclusions.  This due diligence can be conducted specifically for purposes
of the insurance application or folded into a more general effort around
precautionary cybersecurity preparedness, including a focus on third-party
vendors.  Such reviews are designed to assist clients in developing a
cybersecurity posture that is defensible to regulators, class action
plaintiffs and insurers both pre and post breach.  Reviews typically
include:

- Preparing a data map of sensitive and personal information for risk
assessment purposes, which map can be used to determine where security
resources can be strategically deployed;
- Reviewing retained data in conjunction with data retention policies to
determine whether it makes sense to retain the data;
- Scoping and directing cybersecurity assessments, maintaining
confidentiality of the analysis under the attorney-client privilege, and
conducting risk assessments of identified vulnerabilities to develop risk
mitigation strategies;
- Reviewing and drafting contracts with third-party vendors who have access
to company network assets, and conducting due diligence around the vendors’
security and breach response protocols; and
- Preparing incident response plans, and directing and participating in
tabletop exercises to assist companies in preparing for a cybersecurity
incident and revising incident response plans.

Obviously, these measures cannot guarantee that a company’s systems won’t
be breached, but they will put the company in a stronger positon to respond
to regulators and plaintiffs if and when a security or privacy event
occurs.  And, this front-end work can help reduce the risk that an insurer
will seek to set aside coverage at the worst possible time.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!