Debate over cyber insurance

Debate on Cyber insurance is ignited as A recent case of an insurance company suing a former client to recover a $4 million claim payout has filed against Cottage Health care systems. Healthcare Systems suffered a data breach due to a hack of their systems. Their insurance company, Columbia Casualty, a division of CNA, alleges that Cottage Healthcare Systems didn’t maintain its security controls.which left the company vulnerable to this cyber attack. Columbia argues that its cyber insurance policy language does not require it to pay for losses resulting from this attack. Company in a view that Cottage’s failure “to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance.” Attention to the case in the IT world is certainly warranted. As Mike Pittenger of Black Duck Software wrote on VentureBeat recently, software vendors have been quite willing to forgo protecting their products from the latest security threats and offload that risk to the end user. But it’s an exaggeration to say that the Columbia lawsuit signals a new trend in the relationship between cyber-insurers and clients. The idea that the insurance industry is “fighting back” overlooks some pertinent facts. First, the policy language that Columbia is relying on to deny coverage wouldn’t pass muster with most customers and brokers. It’s far too broad and incredibly subjective, and a good broker would have had it stricken from the final policy. We can only guess why Cottage agreed to such an open-ended exclusion, but my guess is that it felt the need to have cyber-insurance outweighed the need to read the fine print. Second, none of the leading insurance carriers has similar language in their current policies, although some might still try to slip it in. To verify this statement, I reached out to my friend Steve Bridges at JLT Specialty, an insurance broker specializing in cyber insurance, who told me that even Columbia has removed the exclusion in question in the current version of NetProtect 360, which is the insurance form at issue. Why did Columbia do that? Bridges has a fairly simple explanation: “Columbia presumably removed it for commercial reasons as it severely limited coverage, and quality brokers would not recommend that they buy from CNA if this type of language remained in the policy,” he said. The worst result that could come from this case is that companies are scared away from purchasing cyber insurance, lest they get burned on the fine print. But that worry is vastly overblown. The need to purchase cyber insurance is greater than ever. For starters, Cottage’s fears of a breach proved correct. It was smart to buy coverage;