"Caveat emptor" - buyer beware - is the most common warning to those shopping for big-ticket items. That, apparently, applies in spades to buying cyber insurance.
Not that buying it is a bad idea, say insurance experts, who note the obvious -- the catastrophic losses of a major breach could break a company financially.
"A carefully tailored policy is worth it, when you've taken the time to review the terms," said Lynda Bennett, chair of the Insurance Recovery Practice at Lowenstein Sandler LLP, adding that it is rapidly becoming mandatory for any company that contracts with others.
"We're seeing an uptick in companies demanding warranties that you carry it," she said. "It's going to be a reality for most businesses that contract with others."
So the advice of Bennett and others is more along the lines of "buy, but be aware," because the complexity of such policies, complete with fine-print exclusions, can leave an organization without protection it may think it has.
Indeed, "carefully tailored" could mean the difference between millions in coverage and an expensive dispute with an insurer that is refusing to pay.
The most high-profile recent example of that is Columbia Casualty Company v. Cottage Health Systems, a suit filed May 7 in U.S. District Court in California.
Cottage, a California-based healthcare provider, had a so-called NetProtect360 claims-made policy with Columbia, a unit of Chicago-based CNA, when it suffered a data breach of about 32,500 confidential medical records between Oct 8 and Dec. 2 of 2013.
The breach led to a class-action lawsuit brought by patients. A settlement for about $4.12 million received preliminary court approval last December, according to the complaint. There is also an investigation pending by the California Department of Justice about whether Cottage violated provisions of the federal Health Insurance Portability and Accountability Act (HIPAA), which could lead to sanctions or fines.
And that led to the pending complaint from Columbia, which agreed to pay the claim but asserts that Cottage should pay the money back because of its, "failure to follow minimum required (security) practices."
According to the complaint, "Cottage and/or its third-party vendor, INSYNC Computer Solution, Inc., stored medical records on a system that was fully accessible to the Internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who 'surfed' the Internet."
Or, as the headline in a recent Naked Security post put it, "We don't cover stupid, says cyber insurer ..."
Indeed, if everything Columbia alleges in the complaint is true, there is clearly an argument that Cottage was at least negligent, if not stupid. According to Columbia, Cottage claimed in its application for the policy that it maintained 10 specific security measures that then amounted to conditions of coverage. It said the breach demonstrated that Cottage had failed to:
- Continuously implement the procedures and risk controls identified in its application;
- Regularly check and maintain security patches on its systems; and
- Enhance risk controls, among a host of "other things."
Sign up for CIO Asia eNewsletters.