Cyber Insurance Debate Heating Up

Wednesday, May 20, 2015 @ 01:05 PM gHale


Insurance issues related to cyber security claims is generating more interest around the industry these days and if manufacturers do not follow all their procedures and policies strictly, they could find themselves out in the cold when it comes to collecting on any claim.

While this report from the Privacy and Security Matters web site relates to the health industry, it could very well fall in the manufacturing arena:

“Cyber security, and cyber insurance, have dominated the industry headlines for several years now, but even as companies, brokers and insurers work to develop these products, there has been a dearth of case law interpreting key provisions. This is beginning to change as disputes arise and make through way through the judicial system.

RELATED STORIES
Breach: Subsea Cable Operator’s IT Network
Oil Industry Under Attack
Financial Institution Attacks Uncovered
Warding Off EU’s Sophisticated Attacks

“One such suit came last week when (insurance giant) CNA filed a declaratory judgment action against its insured Cottage Health System, seeking reimbursement of both defense costs and a $4.125 million settlement it had paid out on a claim made under Cottage’s cyber policy. In January 2014, Cottage was sued in a class action in California state court, where it was alleged that the records of more than 30,000 of Cottage’s patients had been disclosed to the public via the Internet. Cottage allegedly stored such records on an Internet-accessible system but failed to install encryption or use other safeguards. The California court granted approval of the $4.125 million settlement fund in December 2014. CNA, which had reserved rights, filed this action.

“In the action, CNA invokes the exclusion for “failure to follow minimum required practices” which precludes coverage if the insured does not “continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance.” In its application Cottage had indicated that it regularly re-assessed its exposure to information security and privacy threats, among other, more specific, data-protection procedures. CNA asserts that this representation in the application was false.

“Insureds and insurers in the cyber space would do well to watch this matter unfold. The exclusion invoked, and the application questions it relies on, are broadly worded and may leave room for strong arguments on both sides. Regardless of the outcome, we can be sure that this is only the beginning of judicial interpretation of the key terms of cyber-related policies. Interested readers can also review one of the first cyber-related decisions in the country, which came out of the District Court of Utah last week.”



Leave a Reply

You must be logged in to post a comment.