Are You Meeting the Requirements of Your Cyber Liability Insurance Policy?

Of course, this question assumes that your business has a cyber liability insurance policy (you do have one, right?). One of the most common issues we see with compliance is related to the “failure to maintain” exclusion in these policies. By not properly maintaining and securing your IT infrastructure, you can be subject to an exclusion for failing to follow minimum required practices. 

A Real World Example
That is exactly what happened in the case of Columbia Casualty vs Cottage Health. In this case, Cottage Health was storing medical records on a server that was accessible via the internet (a patient portal). It is alleged that they:

  • Failed to regularly check and maintain security patches

  • Failed to regularly reassess their information security exposure and enhance risk controls

  • Failed to have a system in place to detect unauthorized access or attempts to access sensitive information

  • Failed to track all changes on the network to ensure that it remains secure

The result was a class action lawsuit filed against Cottage Health in January of 2014. They came to a $4.1M settlement and received court approval in December 2014. Then the insurance company, Columbia Casualty, claimed that it wasn't obligated to fund the settlement because of an exclusion in the policy that precludes coverage for failure to follow minimum required practices. What may be surprising to you - the reader - is that many of these policies have this exclusion. 

In Conclusion
The Columbia Casualty vs Cottage Health case is still going at the time of this article. What this tells us is that we need to follow minimum required practices. You need to ask yourself:

  • Are you patching your computers? Can you prove it? 

  • Are you monitoring for security breaches? 

  • Are you monitoring for data breaches? 

  • Are you storing sensitive information in places that have little or no protection? 

  • Are you encrypting your data? 

  • Are you tracking your assets? 

  • Do you have a process for destroying old hardware that contains sensitive data?

Has your organization implemented a cybersecurity framework? If so, you probably have answers for all of the questions above. If you don't have an answer for those questions, it's important that you begin working towards a more structured, secure IT environment.

Greg Tirico