On May 7, Columbia Casualty Company, an insurance company, filed one of the first lawsuits by an insurer seeking to deny coverage for a privacy class action under a cyber insurance policy. Why is this significant? As the number of data breach events and costs have soared, specialty cyber insurance policies have become both ubiquitous and necessary. And, generally, insurance companies have responded quickly to data breach claims under cyber insurance and other specialty risk policies (while aggressively fighting coverage of breach-related claims brought under general liability policies). Common wisdom has been that as the cyber insurance market plateaus and claims become more prevalent and costly, insurers will begin to resist coverage and push back more aggressively on claims. The Columbia Casualty Company lawsuit may be the mark of that changing tide.
According to the Columbia Casualty complaint, Cottage Health System or its third-party vendor allowed access to 32,500 medical records and the insurer paid $4.125 million to settle the class action lawsuit that followed. The insurer is now suing to recoup the settlement funds and defense costs on the basis of a coverage exclusion requiring that the insured meet certain “minimum” cybersecurity requirements. The insurance policy required that the insured institute “minimum required practices” and eliminated coverage for “any failure” of the insured to “continuously implement” such procedures. The insurance company claims that the policyholder failed to follow the security risk controls set out in its insurance application and failed to provide complete and accurate information in the application about the practices of one of its third-party vendors.
Such “minimum required” practice exclusions can be highly problematic for an insured because they place the insured at the mercy of second-guessing by the insurance company after a security breach has occurred. At precisely the moment when an insurer should be standing behind its insured, such exclusions allow the insurer to turn the focus to the insured’s conduct rather than the person who attacked its system.
How can a client reduce the risk that its insurer will try to pull coverage at the most critical time?
First, it is critical for insureds to eliminate “minimum requirement” and similar exclusions from their cyber policies. In our experience, insurers will typically strike them, but you have to know what to look for and ask before the policy is issued. Cyber insurance policies do not follow standard forms and can be complicated. They are also evolving very quickly. Accordingly, clients who are buying or renewing these policies should seek out advisors who have specific and deep experience with cyber insurance.
Second, insureds should conduct reasonable due diligence and take appropriate care before making the security representations in their applications for cyber insurance. Whether relying on a specific “minimum requirements” exclusion or more generally pointing to alleged misrepresentations in applications, insurers are likely to scrutinize those representations with ever greater vigilance as the number and costs of cyber claims increases.
We recommend that policyholders engage us early in the process of procuring cyber insurance to assist in identifying and eliminating these coverage exclusions. This due diligence can be conducted specifically for purposes of the insurance application or folded into a more general effort around precautionary cybersecurity preparedness, including a focus on third-party vendors. Such reviews are designed to assist clients in developing a cybersecurity posture that is defensible to regulators, class action plaintiffs and insurers both pre and post breach. Reviews typically include:
Preparing a data map of sensitive and personal information for risk assessment purposes, which map can be used to determine where security resources can be strategically deployed;
Reviewing retained data in conjunction with data retention policies to determine whether it makes sense to retain the data;
Scoping and directing cybersecurity assessments, maintaining confidentiality of the analysis under the attorney-client privilege, and conducting risk assessments of identified vulnerabilities to develop risk mitigation strategies;
Reviewing and drafting contracts with third-party vendors who have access to company network assets, and conducting due diligence around the vendors’ security and breach response protocols; and
Preparing incident response plans, and directing and participating in tabletop exercises to assist companies in preparing for a cybersecurity incident and revising incident response plans.
Obviously, these measures cannot guarantee that a company’s systems won’t be breached, but they will put the company in a stronger positon to respond to regulators and plaintiffs if and when a security or privacy event occurs. And, this front-end work can help reduce the risk that an insurer will seek to set aside coverage at the worst possible time.