Cyber risk events – hacking and other forms of data
privacy breach – unquestionably have hit the big time.
Multi-million dollar losses seem to be in the news every other day.
When a company is hacked and private information is stolen,
"secure" networks are reduced to shambles, business
reputations are tarnished, and companies suffer loss.
Recognizing the full dimensions of these risks, companies are
flocking to buy insurance. Insurance products on the market cover a
wide range of loss including liability for security breaches, costs
for defending against claims of stolen private information, network
security repair costs, and other loss. More than 60% of businesses
recently surveyed by the trade report Business Insurance
acknowledged that they purchased specific cyber coverage, and many
of those companies are buying tens of millions of dollars in policy
limits. The purchasers broadly range across a wide swath of leading
U.S. industry groups, including retail, health care, education,
hospitality, and financial.
History teaches that when insurance coverage is sought for new
types of liabilities (e.g., asbestos, environmental) or where new
policies or language are placed in the market to respond to
specific losses (e.g., environmental coverage, director and officer
coverage), lawsuits are necessary to bring clarity to what is
covered. We are quickly approaching that time with respect to cyber
coverage, and the battles are beginning to rage. What is clear
from these emerging cases is that policyholders need to be
attentive to and cautious about their security programs and
insurance issues even before the cyber policies are
purchased.
A recently filed lawsuit in California highlights what will be a
major battlefield when significant cyber claims are submitted for
coverage. In that case, Columbia Casualty Company ("CNA")
sued its policyholder, Cottage Health System ("Cottage")
claiming there was no coverage for the $4.1 million settlement paid
by Cottage to approximately 51,000 plaintiffs whose private medical
information was stolen when a hacker broke into Cottage's data
system. CNA had sold a "NetProtect360" insurance policy
to Cottage. Unfortunately for Cottage, CNA now alleges the policy
does not really provide 360-degree coverage.
Specifically, CNA asserted that a "Failure to Follow Minimum
Required Practices" exclusion precluded coverage on the
alleged ground that Cottage did not follow its own description of
its data security system in the insurance application. CNA also
asserted that Cottage's failure to follow the data security
protocols detailed in its application constituted a
misrepresentation, and that all coverage was forfeited as a result
of that alleged misrepresentation. A trial ultimately may be
necessary to determine whether there is coverage.
What the CNA case highlights is that policyholders need to be
diligent from the first day that they submit an application for
cyber insurance to make sure they understand the requirements for
coverage in the event of a loss. Such applications should be
completed and reviewed carefully not just by risk managers, but
also by the CIO, Chief Privacy Officer, or other cognizant IT
professionals. Negotiations may be necessary to put correct
coverage language in place. Then, after the coverage is purchased,
policyholders must take care in implementing their cyber security
practices, and create a record sufficient to prove that they have
complied with policy requirements. At the end of the day, cyber
coverage premium dollars are well spent only if covered losses are
paid by the insurer, and the CNA case teaches that scrutiny is
needed long before a loss is incurred in order to maximize the
opportunities for recovery.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.