Cyber insurers commonly require insureds to complete detailed applications, often including extensive technical disclosure and risk self-assessments. The complaint recently filed by the insurer in Columbia Casualty Co. v. Cottage Health System illustrates the pitfalls in these requirements.

Cottage Health, an operator of a hospital network, suffered a data breach in 2013 resulting in thousands of its patients’ private medical information being publicly disclosed. In addition to other losses, Cottage Health paid $4.125 million to settle a putative class action in 2014 and faces additional proceedings arising from the breach. Columbia’s lawsuit denies all coverage for the breach and seeks to rescind its policy due to the insured’s alleged failure to comply with the cybersecurity practices described in its application.

In its complaint Columbia contends, first, that the “Failure to Follow Minimum Required Practices” exclusion in its cyber policy—applying to losses from, among other things, the Insured’s failure “to continuously implement the procedures and risk controls identified in the Insured’s application”—precludes coverage for Cottage Health’s losses.

Columbia further contends that it has a right to void its policy altogether due to alleged misstatements in the “Risk Control Self Assessment” that Cottage Health completed as part of its cyber insurance application. For example, Columbia alleges that Cottage Health misrepresented:

  • “that it replaced factory default settings to ensure that its information security systems were securely configured”;
  • “that it regularly checked and maintained security patches on its systems”; and
  • “the degree of due diligence Cottage exercised with respect to [its information security management vendor’s] safeguards.”

Relying on its broadly worded “Application” condition and “Minimum Required Practices” warranty, Columbia asserts that even if Cottage Health did not intend to deceive, a negligent misrepresentation or omission of material fact is enough under these clauses for Columbia to deem its cyber policy “null and void.

One lesson for policyholders from the Cottage Health lawsuit is that the cyber insurance application process and its relation to policy conditions and exclusions must be managed with care, not only to avoid potential misstatements and omissions, but also to close off potential opportunities for the insurer to engage in “post-loss underwriting”; that is, after receiving notice of a loss, to search for inaccurate application responses—even those innocently made, and even those unrelated to the loss—to support a denial of coverage.  Both risk managers and IT personnel, with the assistance of cybersecurity experts if necessary, must actively engage in preparing the responses to cyber insurance application questionnaires and risk self-assessments.

In addition, any new cyber policy wording requires expert legal scrutiny before purchase, because these specialty insurance products can contain gaps or hidden traps. For example, Cottage Health might have averted its dispute with Columbia if the policy’s potentially onerous “Failure to Follow Minimum Required Practices” exclusion had been modified or deleted. Similarly, the policy’s strict “Application” and “Minimum Required Practices” clauses might have been moderated—for example, by limiting the right of rescission to cases of intentional misrepresentation of material facts.