The explosive demand for cyber-security insurance follows attacks against major corporations like Sony, Atena, Target, Home Depot and JP Morgan that exposed the personal information of hundreds of millions of customers and cost the companies affected millions of dollars. The ever increasing attacks have heightened the awareness of business owners and has many of them concerned they could be the next victim of an attack.
With the recent explosion of cyber-attacks against high profile corporations, insurance companies are starting to take a closer look at claims made by the policyholders and analyzing the breach to determine if the insured followed agreed upon security practices as laid out in the underwriting process. Insurance carriers are carefully scrutinizing the statements made during the policy application through the period of coverage to determine if inaccurate representations were made or if the agreed upon security practices were not followed. If it’s determined that the insured didn’t follow the security practices, the claim will likely be denied, putting the insured on the hook for the full damages of the security breach.
How to Get a Claim Denied
Just how important it is to follow the agreed upon security practices, came as a hard lesson to a company called Cottage Health Systems in December 2014. CNA, their insurance company, filed suit against Cottage Health Systems for $4.125 million paid on a claim made under Cottage Health Systems’ cyber policy. CNA claims Cottage failed to “follow minimum required practices,” which precludes coverage if the insured does not “continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance.” In a nutshell, Cottage Health Systems reported to CNA that it had regularly re-assessed its exposure to information security and privacy threats, among other, more specific, data-protection procedures. CNA claims this representation in the application was false. Court records state 30,000 patient records were compromised because Cottage Health Systems allegedly stored such records on an internet-accessible system but failed to install encryption or use other safeguards. The California court agreed and granted approval of the $4.125 million settlement fund. It should be noted that further litigation is expected in this case and others that are denied in the future due to cyber liability application questions being broadly worded, leaving room for strong arguments on both sides.
Cyber Liability Claim Pit Falls
Even when a company pays out a claim; the odds are against the insured having their entire loss covered. Experian reports the average cost of a breach is $9.4 million dollars over 24 months time and in some cases as high as $100 million. Only $100 million of the projected $264 million in damages claimed by Target was covered. Home Depot expects about $100 million will be paid on their $232 million claim that resulted from the 2014 attack. The trend is continuing down this path of a limited payout compared to the actual loss. When these insureds go to renew their policies, they are facing massive hikes in premiums and deductibles, putting them on the hook for millions of dollars lost if there is ever another security breach.
What Should the Policy Cover?
When considering cyber-liability, insurance companies are increasingly looking for policies that will cover the full suite of actions they take in the event of an attack. Not only is a data breach expensive but companies have the responsibility to navigate 47 different state notification laws, notify customers of the breach, pay for credit monitoring for those affected, hire forensic investigators, repair systems and prepare for lawsuits. Target alone is facing a shareholder class action lawsuit and another joint lawsuit from banks asking for reimbursement for reissuing cards.
Cyber Liability Policy and Cyber Security Experts Working Together
The silver lining behind cyber-liability insurance is there is now widespread adoption of policies that are forcing companies to thoroughly evaluate cyber risks. The U.S. government has been trying to get the private sector to do this for many years. Navigating and completing an accurate cyber-liability policy is cumbersome. Many like this cyber liability policy have pages upon pages of questions that must be accurately completed. Even when the policy is in place, a company must make sure they follow the agreed upon security practices, or the insurance companies may deny the claim. A cyber-liability policy is just one piece of the puzzle. The critical aspect is making sure your data is secured, and you are following your security protocols so a claim will not be denied if a breach occurs. WatchPoint Data has the security tools and forensic experts a business needs to put a security policy in place and prevent those massive breaches from happening. WatchPoint Data incorporates a procedure of Prevention, Detection, and Response, keeping systems patched and free of vulnerabilities, using state of the art software like Carbon Black to detect malware and intrusions, and responding to any threat - large or small. Closing the security gaps and strengthening a company’s cyber security policy is the main focus of WatchPoint Data.