It’s tempting to “gild the lily” when applying for cyber insurance. Insurers are still getting their arms around how to underwrite cyber risks, and so applications commonly feature a lengthy questionnaire about security controls and safeguards. Often folks in the insured’s Finance or Risk departments handle the application process, with minimal involvement by IT Security and Legal. The result can be questionnaire responses that are, well, “aspirational.”
The problem is that the insured’s representations in the application usually become part of the policy, with coverage conditioned on the representations being accurate when made, and also on an ongoing basis. If the questionnaire responses are later deemed to be material misrepresentations, or if what was represented changes materially, then coverage may be lost. With cyber insurance applications, gilding the lily can result in gelding of coverage.
Back in May you might have seen reports of Columbia Casualty v. Cottage Health System, a California lawsuit filed by a cyber insurer seeking a declaratory judgment of no coverage for the insured’s security breach. This case was recently dismissed for mediation under the policy’s terms, without prejudice to it being refiled later. But this will not be the last time these issues arise between cyber insurers and insureds. In Columbia Casualty, the insured health system allegedly failed to establish proper access settings for a system containing confidential health data of 32,500 patients, allowing the data to be publicly accessible over the Internet. The insurer agreed to pay a $4.125 million class action settlement, but reserved its rights to contest coverage.
Why no coverage? According to the insurance company, the insured‘s application included material misrepresentations about its security posture, and the insured also failed to maintain the represented safeguards, violating coverage conditions. The health system’s application stated:
4. Do you check for security patches to your systems at least weekly and implement them within 30 days? ● Yes
5. Do you replace factory default settings to ensure your information security systems are securely configured? ● Yes
6. Do you re-assess your exposure to information security and privacy threats at least yearly, and enhance your risk controls in response to changes? ● Yes
11. Do you outsource your information security management to a qualified firm specializing in security or have staff responsible for and trained in information security? ● Yes
12. Whenever you entrust sensitive information to 3rd parities [sic] do you…
a. contractually require all such 3rd parties to protect this information with safeguards at least as good as your own ● Yes
b. perform due diligence on each such 3rd party to ensure that their safeguards for protecting sensitive information meet your standards (e.g. conduct security/privacy audits or review findings of independent security/privacy auditors) ● Yes
c. Audit all such 3rd parities [sic] at least once per year to ensure that they continuously satisfy your standards for safeguarding sensitive information? ● Yes
d. Require them to either have sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality. ● Yes
13. Do you have a way to detect unauthorized access or attempts to access sensitive information? ● Yes
23. Do you control and track all changes to your network to ensure it remains secure? ● Yes
That’s a lot of representations. Some of them seem concrete (such as replacing factory default security settings – the insured’s failure to do so allegedly caused the security breach), but others are fuzzy (e.g., requiring service provider safeguards “at least as good as your own”). One wonders whether those answering the questionnaire fully realized that these responses were not simply informational, but were also, according to the insurer, conditions for coverage under the cyber policy.
Litigation over these types of cyber policy provisions will play out over the next few years. Some legal issues will apply to all insurance forms, and others will be unique to the youthful cyber insurance marketplace. But in the meantime, two practical points are key:
- Don’t handle cyber insurance applications in a Finance/Risk Department silo – the organization’s IT Security and Legal functions should be deeply and collaboratively involved.
- Those responsible for your organization’s ongoing security have various compliance “yardsticks,” such as security policies and applicable laws and security standards. But don’t forget another crucial compliance yardstick against which security safeguards, controls, and activities should be measured – the representations made in the organization’s cyber insurance application.
P.S.: These same two points also apply to third-party contracting, in which your organization may respond to a counterparty’s security questionnaire, with your responses being hard-wired into the contract’s provisions for breach, liability, and indemnity.