The shortsightedness of buying cyber-risk insurance before you fix your cybersecurity has just been made painfully clear by the insurance industry. My partner, Barry J. Fleishman, notes:
History teaches that when insurance coverage is sought for new types of liabilities (e.g., asbestos, environmental) or where new policies or language are placed in the market to respond to specific losses (e.g., environmental coverage, director and officer coverage), lawsuits are necessary to bring clarity to what is covered. We are quickly approaching that time with respect to cyber coverage, and the battles are beginning to rage. What is clear from these emerging cases is that policyholders need to be attentive to and cautious about their security programs and insurance issues before the cyber policies are purchased.
A recently filed lawsuit in California highlights what will be a major battlefield when significant cyber claims are submitted for coverage. In that case, Columbia Casualty Company (“CNA”) sued its policyholder, Cottage Health System (“Cottage”) claiming there was no coverage for the $4.1 million settlement paid by Cottage to approximately 51,000 plaintiffs whose private medical information was stolen when a hacker broke into Cottage’s data system. CNA had sold a “NetProtect360” insurance policy to Cottage. Unfortunately for Cottage, CNA now alleges the policy does not really provide 360-degree coverage.
Specifically, CNA asserted that a “Failure to Follow Minimum Required Practices” exclusion precluded coverage on the alleged ground that Cottage did not follow its own description of its data security system in the insurance application. CNA also asserted that Cottage’s failure to follow the data security protocols detailed in its application constituted a misrepresentation, and that all coverage was forfeited as a result of that alleged misrepresentation. A trial ultimately may be necessary to determine whether there is coverage.
What the CNA case highlights is that policyholders need to be diligent from the first day that they submit an application for cyber insurance to make sure they understand the requirements for coverage in the event of a loss. Such applications should be completed and reviewed carefully not just by risk managers, but also by the CIO, Chief Privacy Officer, or other cognizant IT professionals. Negotiations may be necessary to put correct coverage language in place. Then, after the coverage is purchased, policyholders must take care in implementing their cyber security practices, and create a record sufficient to prove that they have complied with policy requirements. At the end of the day, cyber coverage premium dollars are well spent only if covered losses are paid by the insurer, and the CNA case teaches that scrutiny is needed long before a loss is incurred in order to maximize the opportunities for recovery.