Cyber liability insurance. Will your underwriter wriggle out of the claim?

I spent this afternoon reading up on a case in the US that has interesting ramifications for cyber liability insurance.

A question I’m often asked when speaking at events about cyber insurance is whether the underwriter is going to try to wriggle out of the claim by citing that ‘good security practice’ or something similar hasn’t been followed.

In my experience to date, this isn’t the case. While the market is emerging and growing, it’s in the underwriter and broker’s best interest for claims to be paid. One can seriously destabilise an insurance market when a reputation for avoiding claims emerges.

Besides, what is good practice? There are too many standards and too much room for interpretation.

From what I’ve seen, specialist cyber underwriters in the London market specifically avoid clauses around good practice. Instead, they look at the organisation during the risk assessment and actuarial process, determining whether the organisation appears to be taking security seriously.

Are they taking on a cyber policy to insure the poor state of their security, or are they adding it as an important part of the security mix?

If a business is then taken on risk, there’s a fair chance that they have a reasonable security stance.

Then along comes Columbia vs Cottage. A copy of the filing is here:
https://securityledger.com/wp-content/uploads/2015/05/Columbia-v-Cottage.pdf

Essentially, Cottage Health System accidentally appear to have made a bunch of medical patient records world readable, indexable by Google.

Columbia Casualty Company were their insurer & appear to have covered the cost of a class action suit brought by representatives of the patients whose data was exposed.

Columbia didn’t cover the claim, as they believe that Cottage haven’t adhered to the good security practices required in their policy. Regulations such as HIPAA and CMIA are quoted.

So, what’s gone wrong here?

Two schools of thought, in my opinion:

Either Cottage were negligent, they didn’t follow the good practice requirements set out in their policy. But then, Columbia shouldn’t have been selling a policy that was so easy to avoid paying a claim, based on nebulous ‘good practice’.

Or Columbia didn’t do a good job of assessing the risk and exposure of Cottage. They underwrote the policy, how could they expect Cottage to be aware of every possible security issue?

After all, if you crash your car, you (hopefully) don’t do it deliberately. It’s usually caused by a distraction, driving too fast, driving when tired etc. or factors outside your control. That’s what insurance is for; covering the downside. If your car insurer had an exclusion about driving when exhausted, you would want to know about it.

Personally, I think Columbia should swallow it and take silly ’good practice’ exclusions out of their policies. They should spend more time evaluating the risk and exposures that their prospective insureds present.

I believe that this case will do more damage to Columbia’s standing in the cyber insurance market than they will save in claims. The collateral damage to the rest of the cyber liability insurance market is significant.

But in the meantime, read your policy & if it contains ‘good security practice’ or similar clauses, go find a new underwriter. I don’t believe that any business out there follows ‘good practice’ all the time.

We’re human; we all have bad days, that’s what insurance is for.