We want to remind you about our Twitter account which lets you stay up to date on the blog and other items. Our Risk Intelligence Blog provides continuous insight into the insurance industry with the occasional twist of humor. Recent posts cover the mystery of insurance policy terms and what happens when an internet based company suffers power interruption. We are updating frequently so please follow us on Twitter @licatrisk and visit our blog often http://licatarisk.com/cms/category/risk-intelligence-blog/
Below is a collection of important news and reports vital to protecting your company from risk.
Please check back frequently to stay abreast of all the current industry news..
You can sometimes get away with it. Just not when the promise is made to an insurance company.
Cottage Health System of California found that out when they suffered a computer breach, and then had their cyber-policy claim denied by the insurer.
Insurance companies ask you questions on applications, sometimes vague questions with only a yes or no answer. They add exclusions to their policies containing ambiguous, broad language that can only be interpreted later in court. They collect the premium for the policy and don’t worry much about what you said on the application until after there is a claim. The insurance market is like quicksand.
In the case, Continental Casualty v. Cottage Health Systems, the insurer denied the claim on two bases: 1) misrepresentation and 2) the triggering of an exclusion for “failure to follow minimum required practices.”
The application asked (among many other similar ones):
QUESTION: “Do you check for security patches to your system at least weekly and implement them within 30 days?”
THE PROBLEM: We should only promise to maintain a program or a policy to do such things; we should not guarantee that we will do each specific task 100% of the time, which is a non-achievable obligation.
The exclusion reinforced the non-achievable nature of the promise by saying:
“the Insurer shall not be liable to pay any loss…in any way involving: any failure of an Insured to continuously implement the procedures and risk controls identified…” (emphasis added).
Think of an analogy. You agree to implement a vehicle fleet policy that prohibits cell phone use while driving. Can you guarantee no employee ever will use a cell phone while driving? Are you ok if the insurer denies your auto claim if that happens? I don’t think so.
In the cyber world, even given the best of programs, things will fall through the cracks. No matter how strong the order, some employee at some point will not install the patch, change the password, encrypt the doc, etc., etc. We need the insurer to require us to in good faith implement the programs we say we will implement, but to still cover us if some cog in the system breaks down.
And as a general matter, never agree to install security that is “reasonable,” “up to date,” “meets prevailing standards,” or anything of that nature. These words will be undefined in the policy, and, just as bad, standards are evolving at lightning speed.
The cyber insurance world is a frontier now. It will settle down at some point in the future. In the meantime, insureds need to be careful what they promise.
In a recent claim, the adjuster sent an e-mail saying “I wanted to make you aware that there are issues of coverage and some of the costs incurred to date may not be covered under the policy. We should discuss.”
The adjuster explained patiently “your policy does not have ‘sue and labor’ coverage. This is the coverage which would pay for the cost to protect the property from imminent damage; and that’s what you did. The engineer told you to shovel the roof because it was about to collapse, you did so. If you had that coverage, it would be part of the claim, but since this coverage isn’t in the policy, there are no funds available for that expense. “
We knew the appropriate coverage was on the policy, it’s one we negotiate for. So we explained to the adjuster “you’re right, there is no coverage called ‘sue and labor’ in the policy. But, there is ‘Preservation of Property’, it’s coverage N on page 27 of the policy, if you look, you will see it discusses expenses to protect the property from imminent damage.”
After helping him find the right page in the policy, it was almost like this moment from Saturday Night Live:
You have to know what’s in your policies, because your insurer won’t know. Whether it is honest mistake, as in this case, or an attempt to avoid their duties to you, you need to know your facts. Or, you need us on your side.
Risk Management News & Reports Archives
- Follow Us!
- Making Promises You Can’t Keep
- Insurance Policy Terms a Mystery … to the Insurance Company Who Wrote Them !!!
- WHY THE INSURANCE MARKET IS LIKE QUICKSAND
- Note to Internet Companies: WATCH OUT FOR POWER INTERRUPTION
- Why the Insurance Market is Like Quicksand
- Your Bank Account Gets Hacked – Who Pays? — At the Risk Advisory Meeting in Boston on April 23, 2015
- Winter Storm Insurance Coverage on April 2, 2015
- 50 Ways to Leave No Cover by Randy Spencer
- Insurance Companies Behaving Badly
- LicataRisk Construction and Real Estate Event Just Concluded
- Broker of Record Letter – Should you Sign?
- FEDERAL TERRORISM BILL RENEWED, BUT WE STILL NEED TO BE CAREFUL
- The 2015 Risk Advisory Breakfast Schedule Announced
- Licata Risk Presents at Cybersecurity Event in NY on Tuesday, October 21, 2014
- BP Ruling Illustrates Complete Lack of Risk Management Culture
- Your Lender Can Wipe Out Your Equity In One Move
- Abby Krueger of Licata Risk Interviewed by New England Real Estate Journal
- Construction and Real Estate – The Riskiest Industries? — At the Risk Advisory Meeting in Boston May 29, 2014
- Consistently saving money by managing the insurance process
- THE “MAGIC” OF THE INSURANCE DELIVERY SYSTEM
- LICATA RISK ADVISORS ASKS CEO’s: ARE YOU SURE YOU KNOW YOUR FINANCIAL CONDITION?
- Untangling Automobile Insurance at the Risk Advisory Breakfast in Boston on March 19
- IT Security Briefing Feb 6 in New York
- Risk Intelligence Blog Debut
- Why the CFO Needs to Take Charge of IT Security
- Computer Security and Cyber Insurance — At the Risk Advisory Meeting in Boston September 25, 2013
- Terrorism Again Rises to the Forefront — With Opening Remarks by Suffolk County (MA) District Attorney Daniel F Conley — At the Risk Advisory Meeting in Boston May 30
- Hurricane Sandy: Are We Next? Discussed at Risk Advisory Meeting In Boston March 28
- Hurricane Sandy Raises Again the Psychology of Black Swan Events
- Regulatory Risk and Learning Risk Management From the Navy Seals
- Update on Computer Security, Protection of Data and Privacy Claims
- There’s a Scandal Brewing in Commercial Property Insurance
- Got Real Estate? Got Risk?
- The BP Gulf Oil Spill: A Risk Management Debacle
- New England Construction & Real Estate Risk Management Conference Scheduled for November
- Real Estate and Construction Risk & Insurance Issues
- Update on Computer Security, Protection of Data and Privacy Claims
- A Barrage of New Massachusetts Laws That Employers Need to Deal With
- Investigation of Health Insurance Costs in Massachusetts
- Update On The BP Oil Spill Disaster
- The Massive Gulf Oil Spill – Analysis and Lessons:
- Managing the Risks of International Business
- Natural Disasters: Earthquake, Windstorm, Flood, Sinkhole
- MA Attorney General Sues Another Insurance Broker
- Chinese Drywall Maker Defaults in US Lawsuit
- The Hard Insurance Market Has Begun
- MA Privacy Law Deadline Looms
- After the Madoff Scandal
- Risk Management Conference in Boston
- Midwest Flooding Disaster Lesson: The Meaning of Flood Zones
- The State of Computer Security
- Terrorism Program Renewed
- Global Warming Panel in Boston Raises Key Issues
- Global Warming Symposium
- Hurricane Dean an Omen?
- Who’s Liable for Pet Food Contamination– The Risk of Product Liability