The answer to this question may depend on the actions that the insured takes when it applies for coverage and during the period the policy is in force. The demand for cyberinsurance that is intended to cover exposures from data breaches, among other things, has exploded in recent years, reports The Hill. This is due in large part to the many widely reported data breaches affecting large, well-known companies. Now that more claims are coming in, carriers are looking with more scrutiny at the representations made by their policyholders when they applied for the coverage, as well as their actions during the period of coverage. Carriers consider these representations and anticipated security practices to be critical to the underwriting process and conditions on which the coverage is based. In short, inaccurate representations and failing to make good on carrying out the data security practices promised, could leave a policyholder without coverage.
Business insurance reported last week that a cyber insurance carrier is asking a California court whether it has to pay out on a $4.1 million data breach settlement under a policy issued to one of its policyholders. The carrier’s reasoning – an exclusion in the policy that states it does not have to pay if the insured failed to meet the “minimum required practices” that the insured claimed it would follow when it completed its insurance application.
According to Business Insurance, the breach allegedly occurred when the insured (or one of its third party vendors) had “stored medical records on a system that was fully accessible to the Internet but failed to install encryption or take other security measures to protect” the data. The class action lawsuit against the insured that followed the incident settled for $4.1 million, which the insured likely believed would be covered all or in part under the policy. However, the carrier is claiming the insured failed take the measures it promised to take in its insurance application, such as not implementing data security controls, failing to check and maintain security patches, not regularly assessing risks and not having systems in place to identify and address security incidents.
This certainly is not the first case involving a carrier’s challenge to the amount it has to pay under a data breach policy, and it will not be the last. But for companies that have purchased a policy, it is an important reminder that insurance policies are essentially contracts, and if the company seeking the coverage does not meet its end of the bargain (beyond just paying the premiums) the insurer may not have to meet its obligations, leaving the policyholder with an unexpected exposure.
Many companies that purchase data breach coverage often have to complete lengthy applications and questionnaires that delve into the companies’ data security practices and procedures. These applications and questionnaires need to be responded to carefully because as seen from the case above, they can be used by the carrier to deny coverage which is not an uncommon practice regardless of the type of coverage. Additionally, these applications and questionnaires often reflect not only a snapshot of a company’s data security risk and practices, but policies and procedures that carriers expect will continue to be in place as a condition of the coverage.
So, the message is clear, companies that purchase data breach insurance and expect to benefit under the policy should a breach occur will need to carefully review and abide by the conditions for coverage under the policy. In particular, when it comes to the applications and questionnaires that must be completed as part of the underwriting process, they should be reviewed and considered by various departments throughout the company in order to be sure the responses accurately reflect the data security practices in place at the time of underwriting. Additionally, steps need to be taken to ensure that these practices are being implemented during the policy period. The underlying message is that insurance cannot be the only thing that addresses an organization’s information risk. And, of course, this is important from a compliance perspective since many of the data security practices referenced in these questionnaires and applications are practices that are required to one degree or another by various federal or state laws.