The business world is only beginning to understand the extent to which unauthorized network breaches exposing sensitive data can affect valuations and cause unforeseen costs. Specific insurance against corporate hacks is still in its infancy but, for now, insurance companies are still being drawn to these events through traditional liability.
Recently, Cottage Healthcare Systems faced a suit from its customers over 32,500 compromised records. Cottage invoked a liability policy it held at the Columbia Casualty Company, who settled the claim on Cottage’s behalf for $4.1M.
After paying the settlement, Columbia filed a suit against Cottage alleging that the breached network was not properly secured. Columbia is out to recover the settlement. According to their suit, the Cottage network was so insecure that files on an ftp server were accessible through a google search.
According to The Register:
Among the allegations, Columbia claims that Cottage failed to check for and apply security patches within 30 days of release, replace default access settings on security devices, undergo annual security audits, and outsourced data to firms with poor security. Cottage is also accused of failing to provide adequate detection and tracking of changes to its network and data
To hear Columbia tell it, Cottage didn’t put much effort into safeguarding customer data at all. But the precedent that could be set here is interesting. Could this be the beginning of insurance companies conducting post-facto security audits on breached companies? Certainly, any breach implies the existence of a security hole in the first place. Since even well-secured networks aren’t completely air-tight, a trend like this only begs the question with respect to what is reasonable in terms of basic security.
When network security is insured on its own, it’s generally underwritten as a combination of insurance against cyber-liability (third party damages) and first party cyber-expense coverage (direct expenses resulting from a hack). For an organization to qualify for such insurance, there are a number of precautions that companies require. Doubtlessly, underwriters concerned that companies might be using cyber-insurance as a panacea are only interested in insuring networks that have a low risk of breach. Their cybersecurity product is sold with a full security audit meant to provide “… a comprehensive report of your company’s exposures.”
Get our next blog post in your email inbox?
Chubb Vice President Ken Goldstein wrote an outline for Financial Manager magazine, proudly reprinted by Chubb on their information page about cybersecurity insurance, that recommends steps for an organization to take after a security breach. To managers and executives, it reads like a slow motion replay of a nightmare. Post breach procedures include: retaining a forensic expert, notifying all customers and employees, notifying other parties (including state attorney generals as required by law in many states) and hiring a public relations firm. Implied and unspoken is the fact that business would grind to an uncomfortable halt until such undetermined time that the hack is fully contained, the security experts are finished the post-mortem, and everything has been put back together. Assuming, of course, there is still a reputation in tact.
Clearly, while cybersecurity liability insurance may be a prudent step, the proverbial ounce of prevention is in order for many organizations.