If you've considered bending the truth or "lies by omission" on your cybersecurity application, we strongly encourage you to reconsider. The consequences can be expensive and far-reaching, as they appear that they will be for Cottage Health (Cottage) (Source).
Cottage carried cyber-insurance from Columbia Casualty (Columbia). By providing false responses to the insurance risk assessment questionnaire, Cottage appears to be facing the consequences without any coverage from Columbia when they were part of a hefty lawsuit. Cottage Health suffered a significant data breach in 2013 that affected over 32,500 confidential medical records. A class-action lawsuit followed, claiming that Cottage had failed to properly store and encrypt its records to fully protect patient information from being available to anyone on the internet. The lawsuit was settled when Cottage paid out $4.125 million.
The Columbia policy contained the following wording:
"(...) exclusion entitled Failure to Follow Minimum Required Practices that precluded coverage for any loss based upon, directly or indirectly arising out of, or in any way involving [a]ny failure of an Insured to continuously implement the procedures and risk controls identified in the Insured's application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing." (Source)
Here’s an example question with an apparently untruthful response -- “Do you check for security patches to your systems at least weekly and implement them within 30 days? Yes.” This is a familiar topic to us, as most prospective clients we engage with would be an apparent “No” in our eyes. We rarely see small businesses with “managed updates,” even if they may be paying an IT Company to do it (note: we both require and manage updates as a part of our agreements, read more). You can see the disconnect between the reality that most small businesses fail at security patching, yet many would toss a sketchy “Yes” for that question.
Because Cottage was not truthful in all of their questionnaire responses, they faced the consequences of their lack of coverage. The policy and the suit's intricacies are not what is most important here: the critical theme is that lying on your cybersecurity insurance application and not complying with all its requirements can burn you when you need it the most.
What can we learn from Cottage’s actions?
If you lie on your application, you will regret it when you're the victim of a hack, and you assume your insurance has your back. The unfortunate truth is that the majority of small businesses bend the truth on their cybersecurity insurance applications. Blindly answering "yes" to 100 cybersecurity questions may be the quickest way to renew your insurance policy, but your policy will likely be invalidated if any of those questions are tested after an incident. Insurance companies don't ever look for reasons not to pay out, right?
Let's take a look at what you can do to make sure your cyber insurance covers you.
- Most importantly, provide honest answers on your cyber insurance application, so you are provided proper coverage.
- Run an annual review to ensure you are compliant with your policies and procedures and that it aligns with your cybersecurity questionnaire.
- Review the scope of coverage in your cyber insurance policy. Specifically, note whether you agreed to First-party coverage or Third-party coverage. This will matter if you find yourself in a lawsuit or victim of a hack.
- Continually monitor your compliance with representations made to your insurer. Maintaining compliance is the key. This is typically accomplished by a separate engagement with your IT Company or even a third-party IT Company that does only security compliance monitoring and remediation.
If you are completing a cyber insurance application and have questions or are trying to decipher existing coverage, PK Tech can help. Contact us here.