Columbia asserts that those alleged failures amount to, "misrepresentations and/or omissions of material fact," in Cottage's application, which means, "the Insurer shall not be liable to pay any Loss."
There is also an argument, however, that one of the major purposes of insurance is to cover damages arising from mistakes -- even stupid mistakes.
An auto insurer may raise a customer's premium for falling asleep at the wheel and smashing into a tree, but it will still cover the damages. A homeowner who gets robbed doesn't lose coverage because he inadvertently left his door unlocked.
That is the argument Roberta Anderson, a partner at K&L Gates LLP, made in a recent post about the case on Cyber Risk Network. "The fact that any insured reasonably can be expected to make mistakes, i.e., to be negligent, in the complex areas of cybersecurity and data protection is a principal reason for purchasing 'cyber' liability coverage," she wrote.
Anderson noted that CNA's marketing materials say it offers coverage, "to address a broad range of exposures," including "security breaches" and "mistakes." She wrote that the court, "should reject outright CNA's attempt to avoid coverage based on a ridiculously broadly worded, open-ended exclusion ..."
Bennett agreed. "That exclusion should never have found its way into the policy," she said.
Darren Guccione, CEO of Keeper Security, said most good cyber policies don't have exclusions like that. "It doesn't matter if the insured was negligent or if they did everything correct and the bad guys are just really good, today's policies respond to cyber events," he said, adding that a colleague who is a cyber insurance broker told him recently that Columbia has removed the exclusion at issue with Cottage from its current version of NetProtect360.
"None of the leading insurance carriers have similar language in their current policies, although some might still try to slip it in," he said.
Whatever the merits of either side in the Columbia v. Cottage case, the dispute over the language demonstrates that, as Anderson put it, "the devil truly is in the details when placing 'cyber' insurance coverage."
In fact, experts agree that the failure to read, understand and negotiate every detail of a policy is probably the most crucial (and potentially expensive) mistake that organizations make when buying cyber insurance.
"You really need to read and understand what you're buying," said Bennett. "It's not just about price and retention. Buying something off the shelf is a very dangerous place to go."
To avoid that, she and others say it is well worth the expense of hiring a specialist broker who regularly negotiates such policies and understands the language.
Christine Marciano, president of Cyber Data Risk Managers, said she thinks the broker that sold Cottage its policy was "obviously inexperienced."
Sign up for CIO Asia eNewsletters.