Cyber insurance: Buy, but be aware
Not that buying it is a bad idea, say insurance experts, who note the obvious -- the catastrophic losses of a major breach could break a company financially.
"A carefully tailored policy is worth it, when you've taken the time to review the terms," said Lynda Bennett, chair of the Insurance Recovery Practice at Lowenstein Sandler LLP, adding that it is rapidly becoming mandatory for any company that contracts with others.
[ ALSO ON CSO: 5 things you should know about cyber insurance ]
"We're seeing an uptick in companies demanding warranties that you carry it," she said. "It's going to be a reality for most businesses that contract with others."
So the advice of Bennett and others is more along the lines of "buy, but be aware," because the complexity of such policies, complete with fine-print exclusions, can leave an organization without protection it may think it has.
Indeed, "carefully tailored" could mean the difference between millions in coverage and an expensive dispute with an insurer that is refusing to pay.
The most high-profile recent example of that is Columbia Casualty Company v. Cottage Health Systems, a suit filed May 7 in U.S. District Court in California.
Cottage, a California-based healthcare provider, had a so-called NetProtect360 claims-made policy with Columbia, a unit of Chicago-based CNA, when it suffered a data breach of about 32,500 confidential medical records between Oct 8 and Dec. 2 of 2013.
The breach led to a class-action lawsuit brought by patients. A settlement for about $4.12 million received preliminary court approval last December, according to the complaint. There is also an investigation pending by the California Department of Justice about whether Cottage violated provisions of the federal Health Insurance Portability and Accountability Act (HIPAA), which could lead to sanctions or fines.
And that led to the pending complaint from Columbia, which agreed to pay the claim but asserts that Cottage should pay the money back because of its, "failure to follow minimum required (security) practices."
According to the complaint, "Cottage and/or its third-party vendor, INSYNC Computer Solution, Inc., stored medical records on a system that was fully accessible to the Internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who 'surfed' the Internet."
Or, as the headline in a recent Naked Security post put it, "We don't cover stupid, says cyber insurer ..."
Indeed, if everything Columbia alleges in the complaint is true, there is clearly an argument that Cottage was at least negligent, if not stupid. According to Columbia, Cottage claimed in its application for the policy that it maintained 10 specific security measures that then amounted to conditions of coverage. It said the breach demonstrated that Cottage had failed to:
Columbia asserts that those alleged failures amount to, "misrepresentations and/or omissions of material fact," in Cottage's application, which means, "the Insurer shall not be liable to pay any Loss."
There is also an argument, however, that one of the major purposes of insurance is to cover damages arising from mistakes -- even stupid mistakes.
An auto insurer may raise a customer's premium for falling asleep at the wheel and smashing into a tree, but it will still cover the damages. A homeowner who gets robbed doesn't lose coverage because he inadvertently left his door unlocked.
[ ALSO: Corporate culture hinders cyber insurance buy-in ]
That is the argument Roberta Anderson, a partner at K&L Gates LLP, made in a recent post about the case on Cyber Risk Network. "The fact that any insured reasonably can be expected to make mistakes, i.e., to be negligent, in the complex areas of cybersecurity and data protection is a principal reason for purchasing 'cyber' liability coverage," she wrote.
Anderson noted that CNA's marketing materials say it offers coverage, "to address a broad range of exposures," including "security breaches" and "mistakes." She wrote that the court, "should reject outright CNA's attempt to avoid coverage based on a ridiculously broadly worded, open-ended exclusion ..."
Bennett agreed. "That exclusion should never have found its way into the policy," she said.
Darren Guccione, CEO of Keeper Security, said most good cyber policies don't have exclusions like that. "It doesn't matter if the insured was negligent or if they did everything correct and the bad guys are just really good, today's policies respond to cyber events," he said, adding that a colleague who is a cyber insurance broker told him recently that Columbia has removed the exclusion at issue with Cottage from its current version of NetProtect360.
"None of the leading insurance carriers have similar language in their current policies, although some might still try to slip it in," he said.
Whatever the merits of either side in the Columbia v. Cottage case, the dispute over the language demonstrates that, as Anderson put it, "the devil truly is in the details when placing 'cyber' insurance coverage."
In fact, experts agree that the failure to read, understand and negotiate every detail of a policy is probably the most crucial (and potentially expensive) mistake that organizations make when buying cyber insurance.
"You really need to read and understand what you're buying," said Bennett. "It's not just about price and retention. Buying something off the shelf is a very dangerous place to go."
To avoid that, she and others say it is well worth the expense of hiring a specialist broker who regularly negotiates such policies and understands the language.
Christine Marciano, president of Cyber Data Risk Managers, said she thinks the broker that sold Cottage its policy was "obviously inexperienced."
"As a broker who focuses exclusively on cyber insurance, it's mind boggling to me that both Cottage and their insurance broker bypassed that policy exclusion," she said.
"I can't say it enough -- not all policies are the same, and there are many that cover these incidents. Companies clearly must do their due diligence."
That is also the message from Selena Linde, a partner at Perkins Coie LLP. "The exclusion in the Columbia policy for failure to follow minimum required practices is not standard for the industry," she said.
Part of the problem, according to Jared Kaplan, executive vice president and CFO of insureon, is that cyber insurance is relatively new in the industry, unlike auto or home.
Modern vehicles, he notes, have multiple safety systems built in and, "because cars have been around for a while, insurance underwriters have very reliable data for estimating any individual driver's potential to have an accident and at what cost.
"Data breaches, on the other hand, are new territory," he said. "If you watch the news, you know they're happening every day. Nobody's quite sure how to quantify the costs."
Linde agreed, noting that, "although cyber insurance has been around for more than a decade, it is still in its infancy and there are no standard ISO forms.
"Cyber policies are still the Wild West," she said, "so understanding the policy language you are purchasing and how it will respond under potential scenarios for your company is crucial."
Beyond that, Kaplan said a large percentage of organizations aren't practicing basic security. He said one study found that 92% of breaches could have been prevented with basic measures like encryption, secure data backup, and data access control.
"This would be like 92% of drivers not honoring traffic signals," he said.
Bennett said cyber insurers are, "struggling mightily to find out how to underwrite these policies, to set prices appropriately and specify the limits that they can stand behind.
Another minefield can be exclusions for failure to be in compliance with regulatory frameworks.
As many experts have noted, the ever-evolving cyber ecosystem and changes or updates to frameworks can mean an organization is in compliance one day but not the next, to the point that "compliance fatigue" has become a common term in the security industry.
"Security standards can change at any time," Linde said. "Policyholders cannot be expected to predict the future and should not purchase policies with language that, in essence, requires this."
She said many Fortune 500 companies, upon learning of the new Payment Card Industry (PCI) standards that became mandatory at the beginning of 2015, "implemented procedure to satisfy compliance that will take 12 to 18 months to complete.
"If these companies had requirements in their insurance policies that they always be in compliance, the new PCI standards would have obliterated their current coverage," she said.
But experts are unanimous that all those potential problems should not stop organizations from buying cyber insurance. It just needs to be carefully -- very carefully -- with the help of an experienced specialist to read and negotiate through the fine print.
"For small businesses, the average cost of a data breach is $8,700, and policies typically cost less than $2,000 per year," Kaplan said, adding that having the money available for those expenses, "can help preserve a business's reputation and can make it less likely that the initial breach has a long-term negative impact on the business finances."
Indeed, one of the mantras in security is that it is no longer a question of if you will be breached, but when.
"Cyber crime is at all-time high," Marciano said. "A cyber attack can bring any company to a standstill and, if data theft is involved, cause significant costs to respond to the breach, regulators and plaintiff lawsuits, and more."
"The key is to truly understand your coverage and what types of losses may not be insurable," Rafferty said, "as well as ensure that the coverage spans most common breach areas."
In other words, as Linde put it, "You just have to do your homework and know what you are purchasing."