| Cyber Insurance |
| Cottage Health System discovered that security on one of its servers had been disabled, leaving tens of thousands of personal files potentially open and exposed on the internet. |
| Those files included personal names, addresses, dates of birth, and their diagnosis, lab results and procedures performed. |
| Cottage was sued, along with inSync, a company responsible for putting the records in a secure location online. |
| Imagine the expenses rolling in: Class action lawsuit. |
| Cyber forensic investigators need to figure out what happened. Security consultants need to analyse and scrub the malware away. People must be notified and offered credit monitoring services. Business will be lost due to newly cautious customers. |
| The healthcare provider had insurance to cover such a data breach. |
| The insurer pointed to clauses in the policy that means it does not have to pay out when the insured party has been lax about its security. |
| Cottages insurer is Columbia who has filed a claim against Cottage Health System, claiming that whatever money it had to pay out under the policy would have to be paid right back to it because the healthcare provider allegedly failed to follow "minimum required practices" as spelled out in the insurance policy. |
| Specifically, the insurer is claiming that Cottage "stored personal records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect personal information from becoming available to anyone who surfed the internet." |
| The personal data had been exposed for many months. |
| It is not like the company was hacked on by cyber attackers, rather the data was accessible via the public internet and to Google search. |
| That makes it tough to know who might have accessed the data. |
| In fact, anyone could have viewed the records the claim states, adding that the "extent of the breach is enormous." |
| While Cottage is looking for about 2.6 million pounds from its insurer to cover both damages related to the incident as well as potential fines from a government bodies - Columbia is looking to recoup anything it has to pay out. |
| Some of the alleged security failings that Columbia is hoping will get it out of paying damages: |
| Cottage and its third-party vendor, inSync, allegedly failed "to continuously implement the procedures and risk controls identified in its application" for the coverage, including... |
| * Configuration and change management for Cottages IT systems as well as regular patch management. |
| * Alleged failure to regularly "re-assess its information security exposure and enhance risk controls" and to... |
| * "deploy a system to detect unauthorized access or attempts to access sensitive information stored on its servers." |
| Cyber Insurance |
| Data breaches are proliferating, and the associated costs are exploding. |
| According to a study released by the Ponemon, the average cost of a data breach has reached 2.5 million pounds. |
| Businesses general liability policies do not cover those costly data breaches. |
| All of which point to cyber insurance being a wise choice if you can find one that will pay out for the vast majority of data breaches a business may well endure. |
| In fact, AON PLC, the worlds largest reinsurance broker, claimed in 2014 that the cyber insurance market was at the time growing at 38% annually. |
| Insurers can exclude covering data breaches for a host of reasons, including: |
| Not paying retroactively. |
| Given that breaches can be discovered months or even years after they begin or end, organisations should carefully consider when coverage starts. |
| Terrorism/act of foreign enemy exclusions. |
| Many cyber attacks originate from outside a local borders and many of them are believed to be state sponsored. Depending on the policy wording, your organisation could be left high and dry. Experts advise negotiating the removal of such exclusions to ensure organisations are covered by an attack coming from outside the country. |
| Lack of coverage for negligence. |
| Insurers are starting to cover only data theft, not negligence. If an employee loses a laptop with sensitive data, some policies will not cover it. |
| Those are just a few of the things to watch out for when purchasing cyber insurance. |
| It is a new, growing insurance product, and that means it is still evolving. |
| It is worth getting, but it should go without saying that getting insurance does not mean the job of securing data is done. |