I recently came across an interesting case of denial of cybersecurity insurance coverage that I believe should serve as a warning for healthcare organizations and for many of Loricca’s clients.
Following a 2013 breach of patient information, the Cottage Health hospital network paid over $4 million in a class action settlement. The provider of Cottage Health’s cybersecurity insurance policy is now refusing to pay the company’s claim based on a “failure to follow minimum required practices” (implementing adequate policies and risk controls).
The insurer has also threatened to void Cottage Health’s policy completely because of misinformation provided at the time of application. The insurance application process requires a Risk Control Self-Assessment. The investigation identified misinformation submitted with the assessment related to the company’s assurances that it routinely:
- Changed default settings and configuration,
- Checked and maintained security patches, and
- Performed due diligence regarding vendors’ safeguards (Business Associate Agreements).
The insurer has stated that the misinformation provided is sufficient to void the policy and deny the claim even if there was no intention to deceive.
An article in the National Law Review encourages “both risk managers and IT personnel, with the assistance of cybersecurity experts if necessary, [to] actively engage in preparing the responses to cyber insurance application questionnaires and risk self-assessments.” The article also encourages expert legal scrutiny of cyber policy wording. Loricca does not provide such legal advice but often works with attorneys to help clients navigate this process.
If you are not certain that your organization’s cyber insurance policy is air tight, a thorough risk assessment and review now could save you the aggravation and expense of a denied claim down the road. If your organization is shopping for a policy or is in the process of performing the self-assessment required during the application process (many insurers now require a full third-party assessment), do not risk even an unintentional misstatement that could be used against you later. Contact us to discuss a full assessment and assistance.
