At first glance, it sounds like our worst fears have been realized: A cyber insurer has declined coverage under a cyber policy because the client failed to meet minimum security practices.
These are the questions we get all the time.
“Do cyber policies really pay claims?”
“Won’t they exclude coverage based on an ‘intentional acts’ exclusion when rogue employees are involved?”
“Aren’t there exclusions for failing to maintain security standards?”
“Is there some sort of ‘asleep at the switch’ exclusion?”
We repeatedly reassure clients that we have seen cyber policies respond very well in all of these scenarios. But this recent case involving a policy issued by Columbia Casualty, a unit of CNA, would seem to call that advice into question. The good news is that this case is a red herring.
The underlying breach at healthcare provider Cottage Health System exposed 32,500 patient records in 2013. A class action lawsuit filed in January 2014 was settled for $4.1M in December 2014, and CNA funded the settlement. The next week, CNA filed a declaratory action against their insured, seeking recovery of the settlement and related defense costs.
[Note: The case was recently dismissed by a Federal court on the basis that CNA did not follow the ADR requirements under its own policy, but as the court did not opine on the merits of the case, we assume that CNA is still pursuing the coverage denial].
CNA argues that coverage should not be available for two distinct reasons:
- There was an exclusion in the policy for failing to “continuously implement the procedures and risk controls identified in the Insured’s application”, and the breach was purportedly caused by those security failures.
- The Insured misrepresented their security controls in the application, and those misrepresentations were material to the acceptance of the risk. CNA argues that they would never have agreed to issue a policy had the correct information been known, and therefore they should be able to rescind the policy.
Point one is tricky. That exclusion is extremely broad and appears to read directly on this situation. Quite frankly, it’s a lousy exclusion.
A law firm brief on this topic opines that “the type of ‘Failure to Follow Minimum Required Practices’ exclusion found in the [CNA policy] is regrettably common.” Thankfully, I disagree. None of the major cyber insurers have a similar exclusion in their current standard wording. This was an older CNA base policy form, and they have removed it from their newer version of the same form. Why? Because the market demanded it. Savvy insurance brokers and their clients refused to place business with CNA unless they removed it.
We have seen carriers seek to add onerous exclusions based upon information contained in the application. For example, one insurer has sometimes proposed an exclusion for claims based upon the insured’s “failing to encrypt Confidential Information” when an application states that the prospective insured has no process to encrypt sensitive data.
You might argue that it seems entirely reasonable for an insurer to modify coverage based on the risk being presented. That’s called underwriting. It doesn’t mean that we accept the terms as quoted – sometimes the client needs to provide more detail on their controls to get the exclusion removed. Sometimes we suggest an alternative insurer with a different underwriting approach. Sometimes the insured recognizes that they need to change their risk profile if they want to be able to secure the broadest possible insurance protection.
The second point (application misrepresentation) is a little different. In any insurance transaction, there is a risk that the insurer will allege that they were lied to in the application process, and seek to “rescind” or “void” coverage based on those misrepresentations. Most applications do provide for an insurer to void coverage if a misrepresentation in the application is either (a) made with the intent to deceive, or (b) material to the hazard assumed by the insurer.
Insurers rarely seek to void coverage based on application misrepresentations, except in the most extreme cases. The burden of proof is difficult to meet, and losing a rescission argument would likely lead to bad faith allegations, which can significantly damage an insurer’s reputation.
That’s not to say it isn’t critically important to be accurate in a cyber application. But applications don’t require you to warrant that your systems are infallible. Do you have a process for encrypting sensitive data? Great. If an employee makes a mistake and makes the encryption key accessible to a third party, a good cyber policy would respond. That’s not a misrepresentation in the cyber application.
In the Cottage Health case, it is not clear if the company actually had controls and they failed, or if they never had the controls in the first place. There are at least two sides to every story, and we don’t know if CNA would have pursued this case based solely on the application misrepresentation. But that seems unlikely. The application issue is not the unusual element in this case. It’s the exclusion that is the red herring. It’s not common, and it’s giving cyber insurance a bad reputation. Rest assured, this coverage dispute is not representative of the state of cyber insurance.