The content for this week’s post was taken with permission from Joseph Brunsman, a broker at Chesapeake Professional Liability Brokers in Anapolis, MD. Joe combines his experience as a former IT, with a Master’s in Cybersecurity Law for an in-depth and very unique perspective on cyber insurance. This post is an excerpt of key points from Joe’s video of the same name.
Insurance policies are legal contracts. Be very careful about giving definitive answers to questions that may be impossible to answer in definite terms. For example: “ Are you compliant will all applicable state and federal cybersecurity and privacy laws?”
It is near impossible to know ALL of the state and federal laws, some might include vague wording or room for interpretation. Guidance is also constantly evolving, so how can anyone answer this question in the affirmative?
Another example, Are you HIPAA compliant? Again, be careful. Does it mean you are HIPAA compliant RIGHT NOW? Throughout the policy period? What if something changes in your network? Do you need to notify the insurer of any change in compliance status? How will you track compliance status on an ongoing basis? Who is responsible for this task?
So what’s the harm in saying “Yes”? A potential declination of coverage and liability falling back on YOU.
Businesses and their Managed Service Providers should understand that they are making representations that form the basis of a contract – the insurance policy. These representations may be held against them by the insurer following a breach. Such was the case of Columbia Casualty Co. v. Cottage Health System.
Cottage Health System, an operator of hospitals across southern California, purchased a “NetProtect360” cyber insurance policy from Columbia Casualty Company. While applying for coverage, Cottage was required to complete a “Risk Control Self-Assessment.” As part of the application process, Cottage made the following representations in their risk assessment (which will likely sound familiar to businesses applying for their own cyber insurance):
Columbia asserted that Cottage had failed to replace factory default setting in its servers. This failure resulted in the FTP settings on their server to allow for anonymous users accessing protected user data via an Internet search engine. These allegations directly contradicted answers to numerous questions in their application.
Also, within the application completed by Cottage, Columbia had noted that the policy would be null and void if the Application contains any misrepresentation or omission. Furthermore, Columbia’s policy contained a condition requiring, “Minimum Required Practices” to be followed as a “condition precedent to coverage.”
Columbia asserted that they were entitled to be reimbursed by Cottage for the full $4.125 million settlement paid for the class-action claim, and demanded reimbursement for all related expenses, attorney’s fees, and defense costs from the class-action claim.
If you are assisting a customer with their application, you need to be sure you are being 100% accurate or the liability could come back on you if they have a claim denied based on information that you provided for the application. Some of the information MUST be answered by the Client, or their Human Resources or Legal.
What is the right way to handle these types of questions on an application? Joe’s advice is to add an addendum if additional explanation is needed. Don’t hesitate to ask the insurer to define exactly what they mean, define their terms, and explain what you do vs. what you think the “right” answer is.
Joe also suggests that you “Be the Hero” and use requests from Clients who want help with their insurance application to remind them of the importance of fundamental cybersecurity controls and aligning to a known framework.
Click to view Joe’s complete video.
Click to download Joe’s latest book on cyber insurance and compliance.