A recent case of an insurance company suing a former client to recover a $4 million claim payout has ignited a debate over cyber insurance. Cottage Healthcare Systems suffered a data breach due to a hack of their systems. Their insurance company, Columbia Casualty, a division of CNA, alleges that Cottage Healthcare Systems didn’t maintain its security controls, which left the company vulnerable to this cyber attack. Columbia argues that its cyber insurance policy language does not require it to pay for losses resulting from this attack because of Cottage’s failure “to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance.”
Attention to the case in the IT world is certainly warranted. As Mike Pittenger of Black Duck Software wrote on VentureBeat recently, software vendors have been quite willing to forgo protecting their products from the latest security threats and offload that risk to the end user. But it’s an exaggeration to say that the Columbia lawsuit signals a new trend in the relationship between cyber-insurers and clients. The idea that the insurance industry is “fighting back” overlooks some pertinent facts.
First, the policy language that Columbia is relying on to deny coverage wouldn’t pass muster with most customers and brokers. It’s far too broad and incredibly subjective, and a good broker would have had it stricken from the final policy. We can only guess why Cottage agreed to such an open-ended exclusion, but my guess is that it felt the need to have cyber-insurance outweighed the need to read the fine print.
Second, none of the leading insurance carriers has similar language in their current policies, although some might still try to slip it in. To verify this statement, I reached out to my friend Steve Bridges at JLT Specialty, an insurance broker specializing in cyber insurance, who told me that even Columbia has removed the exclusion in question in the current version of NetProtect 360, which is the insurance form at issue. Why did Columbia do that? Bridges has a fairly simple explanation:
“Columbia presumably removed it for commercial reasons as it severely limited coverage, and quality brokers would not recommend that they buy from CNA if this type of language remained in the policy,” he said.
The worst result that could come from this case is that companies are scared away from purchasing cyber insurance, lest they get burned on the fine print. But that worry is vastly overblown. The need to purchase cyber insurance is greater than ever. For starters, Cottage’s fears of a breach proved correct. It was smart to buy coverage; it just bought a flawed version of the product. As we all now know, breaches are all too common.
Indeed, Lloyd’s, the British insurance company, estimates that companies lose about $400 billion globally to cyber crime. It’s one reason the cyber insurance industry has exploded in recent years. Last year, the industry took in $2.5 billion to protect companies from hacks, up 150 percent from $1 billion in 2012, Lloyds reported.
Interest in cyber insurance has exploded, especially for B2C companies, such as retailers, healthcare, and financial institutions. Companies in these industries can have huge amounts of personally identifiable information (PII) and can suffer large losses in the event of a data breach. The cyber insurance market may have hit a tipping point in these industries, with more than 50 percent of all companies buying coverage, according to Bridges. Purchasing patterns in other industries are significantly lower, but increasing, especially immediately following a major breach. There are a number of reasons for this slower uptake among companies that collect less PII, most notably that cyber policies are designed to handle data breach scenarios where the losses are both large and easy to determine. Damages from other cyber events (passing along a virus, denial of services attacks, etc.) are more difficult to ascertain and harder to value.
All of this breach activity has impacted the cost of coverage, particularly for industries with poor track records. Retailers and healthcare entities have suffered massive data breaches (for example, Target, Home Depot, Anthem, and Community Health Systems, among so many others) resulting in cyber insurers paying out millions in claims. The good news is that these policies are working. But, as with any insurance product, these losses impact the price of coverage and these industries are seeing prices increase by 2-3 times the rate they paid over the past couple of years, Bridges told me.
Quite simply, the odds are not in favor of high-risk companies operating without cyber insurance. At the same time, companies should avoid the Cottage example of rushing blindly into cyber-insurance without first understanding the underwriting process. In fact, preparing for underwriting is a great way for a company to review its cyber-security infrastructure and procedures – and shore up holes in the defense (regardless of whether the company eventually buys coverage).
This is because cyber insurance carriers will want to know about a company’s data security practices and procedures, including information about investments in technology (firewalls, intrusion detection, password protection, etc.), staffing, and education. Insurers also want to know about things like patch process, maintenance, future plans, and incident response — the types of things Columbia alleged that Cottage failed to do.
Furthermore, companies seeking coverage will have to complete an application and likely participate in a network security conference call – both of which are key to securing favorable coverage terms and pricing. Bridges noted that they have seen this process go both ways: “We have seen how clients who commit senior staff time and energy to supplying thoughtful answers to insurers’ questions benefit in the renewal process with better terms and pricing.” On the flip side, there are customers whose previous year’s network security call had gone poorly and their pricing had doubled year to year.
By the end of this process, a company will have essentially audited its own security procedures and known vulnerabilities. That alone is worth the time and resources expended. So regardless of how the Columbia case plays out, it should serve as a reminder that cyber insurance must become part of a company’s overall security protocol.
Darren Guccione is CEO of Keeper Security. He has extensive experience in product design, engineering, and development and leads product vision, global strategy, customer experience, and business development at Keeper.