Could Poor Cyber Risk Management Void Your Cyber Coverage?
By Amy Elizabeth Stewart
In 2015 we predicted that cyber insurers would attempt to avoid coverage on grounds the insured failed to implement appropriate security protocols. Regrettably for policyholders, that prediction quickly started becoming a reality.
In May 2015, CNA filed suit in a California federal court, seeking a declaration that it owed no duty to defend or indemnify a hospital system based on the system’s failure to abide by “minimum required practices” disclosed in its policy application. In 2013, the system experienced a data breach implicating more than 30,000 confidential medical records because the patient records were stored without encryption or other security measures on internet-accessible network servers.
Underlying litigation arising from the data breach alleged the insured violated its duties to maintain the security of confidential patient data and to detect and prevent data breaches that would allow such information to become available to the public through the internet. In December 2014, the putative class action was settled for $4.1 million.
When the breach occurred, the hospital system was covered under a $10 million “NetProtect360” claims-made policy issued by Columbia Casualty Company, a CNA insurer. CNA seeks a declaration that it owes neither a defense nor indemnity under the policy because the insured failed “to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application.”
The devil is in the details – or here, in the “self assessment” the insured submitted with its application. In its “Risk Control Self Assessment,” the insured made specific representations regarding the regularity with which it checks and evaluates exposures, use of trained information security management, contractual controls and due diligence in connection with third party vendors, efforts to detect unauthorized access to systems, and maintenance of network security.
In the coverage litigation, CNA contends coverage is barred by the “Failure to Follow Minimum Required Practices” exclusion because the data breach was caused by file transfer protocol settings that permitted anonymous user access to confidential patient information via Google. The coverage lawsuit further alleges the insured failed “to continuously implement the procedures and risk controls identified in its application” and that the data breach resulted from these failures.
CNA further alleges that the insured’s representations in the Risk Control Self Assessment were false and made negligently or with the intent to deceive CNA concerning the system’s data breach risk controls, thereby negating coverage. CNA seeks a declaration that the policy provides no coverage for the data breach and reimbursement of the $4.1 million settlement sum, defense costs, and related expenses.
The Takeaway: All cyber policies are not created equal. In this non-standardized market, some products are far superior to others, as demonstrated by the insurer-friendly provisions outlined above. It is in your company’s interest to review the insurance options carefully to ensure you are getting the coverage your company needs for a competitive price.