So you apply for cyberinsurance and in your application, you describe all the security controls and policies you have in place. And an insurance company looks it all over and issues you a policy because you meet the minimum security practices they require.
But then you don’t actually adhere to all the controls and policies you said you have in place – or your business associate doesn’t – and you have a data breach.
Does the insurer still have to cover you?
Columbia Casualty, a unit of CNA Financial Corp., is asking a court to agree that it is not obligated to pay a $4.1 million settlement in litigation stemming from a breach involving Cottage Health System. The breach occurred after an employee of vendor inSync removed security controls on a server. The insurer’s complaint alleges that:
The hospital system failed to “continuously implement the procedures and risk controls identified” in its insurance application, it states. The data breach was caused by its “failure to regularly check and maintain security patches on its system, its failure to regularly reassess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive formation stored on its servers and its failure to control and track all changes to its network to ensure it remains secure among other things.”
Read more on Business Insurance.