Given the current state of cyber risk, cyber liability insurance is increasingly becoming an essential element in the overall risk management strategy for many businesses. However, the language used in these policies can be complex, and it may not be easy for businesses to identify and understand potential gaps in coverage.
These policies and their levels of coverage vary by insurer, so it is important to review any policy and its exclusions prior to purchase, to understand the potential limitations in coverage. Failure to do so can lead to uncertainty and can expose a business to coverage disputes, frequently at worst possible time – after a breach has already occurred.
In a case still pending, Columbia Casualty Co. v. Cottage Health System, an insurer (Columbia) filed suit seeking to deny coverage under the cyber liability policy it issued to Cottage Health System (Cottage). Cottage, which operates a network of hospitals, suffered a data breach in 2013 in which the confidential electronic medical records of approximately 32,500 of its patients stored on its servers were made available to the public on the Internet.
Columbia argues, among other things, that coverage is barred based on the policy’s “Failure to Follow Minimum Required Practices” exclusion that precludes coverage for the “failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application…” as well as the policy’s “Minimum Required Practices” condition which provides that, as a condition precedent to coverage, Cottage warranted that it would “maintain all risk controls” identified in its application. Columbia also claims that the policy should be rescinded because Cottage’s responses to its application contained misrepresentations and/or omissions of material fact upon which Columbia relied when issuing the policy.
This case highlights the importance for businesses to have a thorough understanding of their risk profile when applying for coverage, as well as considering cyber liability policy limits and exclusions prior to purchasing cyber liability insurance. Companies that purchase cyber insurance must be able to document their adherence to risk controls stipulated in the application.
If you have Cyber security Insurance, ask about HIPAAcraticRx’s service that provides documentation of compliance practices to ensure you get paid, should you need to file a claim. We run reports of your network that objectively document their statuses, specifically reporting on data that answers questions from cyber insurance policies. These periodic scans are saved and used, if necessary, to document the veracity of your claim. Read this article in its entirety at JDSupra.