Risk Management News & Reports

Below is a collection of important news and reports vital to protecting your company from risk.
Please check back frequently to stay abreast of all the current industry news..

Follow Us!

We want to remind you about our Twitter account which lets you stay up to date on the blog and other items.  Our Risk Intelligence Blog provides continuous insight into the insurance industry with the occasional twist of humor.  Recent posts cover the mystery of insurance policy terms and what happens when an internet based company suffers power interruption.  We are updating frequently so please follow us on Twitter @licatrisk and visit our blog often http://licatarisk.com/cms/category/risk-intelligence-blog/

Making Promises You Can’t Keep

Risk Intelligence Blog

You can sometimes get away with it.  Just not when the promise is made to an insurance company.

Cottage Health System of California found that out when they suffered a computer breach, and then had their cyber-policy claim denied by the insurer.

Insurance companies ask you questions on applications, sometimes vague questions with only a yes or no answer.  They add exclusions to their policies containing ambiguous, broad language that can only be interpreted later in court.  They collect the premium for the policy and don’t worry much about what you said on the application until after there is a claim.  The insurance market is like quicksand.

In the case, Continental Casualty v. Cottage Health Systems, the insurer denied the claim on two bases: 1) misrepresentation and 2) the triggering of an exclusion for “failure to follow minimum required practices.”

The Misrepresentation

The application asked (among many other similar ones):

QUESTION: “Do you check for security patches to your system at least weekly and implement them within 30 days?”

ANSWER: “yes”

THE PROBLEM: We should only promise to maintain a program or a policy to do such things;  we should not guarantee that we will do each specific task 100% of the time, which is a non-achievable obligation.

The Exclusion

The exclusion reinforced the non-achievable nature of the promise by saying:

“the Insurer shall not be liable to pay any loss…in any way involving: any failure of an Insured to continuously implement the procedures and risk controls identified…” (emphasis added).

Think of an analogy.  You agree to implement a vehicle fleet policy that prohibits cell phone use while driving.  Can you guarantee no employee ever will use a cell phone while driving?  Are you ok if the insurer denies your auto claim if that happens?  I don’t think so.

In the cyber world, even given the best of programs, things will fall through the cracks.  No matter how strong the order, some employee at some point will not install the patch, change the password, encrypt the doc, etc., etc.  We need the insurer to require us to in good faith implement the programs we say we will implement, but to still cover us if some cog in the system breaks down.

And as a general matter, never agree to install security that is “reasonable,” “up to date,” “meets prevailing standards,” or anything of that nature.  These words will be undefined in the policy, and, just as bad, standards are evolving at lightning speed.

The cyber insurance world is a frontier now.   It will settle down at some point in the future.  In the meantime, insureds need to be careful what they promise.

Insurance Policy Terms a Mystery … to the Insurance Company Who Wrote Them !!!

Risk Intelligence Blog

In a recent claim, the adjuster sent an e-mail saying “I wanted to make you aware that there are issues of coverage and some of the costs incurred to date may not be covered under the policy. We should discuss.”

The adjuster explained patiently “your policy does not have ‘sue and labor’ coverage.  This is the coverage which would pay for the cost to protect the property from imminent damage; and that’s what you did. The engineer told you to shovel the roof because it was about to collapse, you did so.  If you had that coverage, it would be part of the claim, but since this coverage isn’t in the policy, there are no funds available for that expense. “

We knew the appropriate coverage was on the policy, it’s one we negotiate for.  So we explained to the adjuster “you’re right, there is no coverage called ‘sue and labor’ in the policy.  But, there is ‘Preservation of Property’, it’s coverage N on page 27 of the policy, if you look, you will see it discusses expenses to protect the property from imminent damage.”

After helping him find the right page in the policy, it was almost like this moment from Saturday Night Live:

You have to know what’s in your policies, because your insurer won’t know.  Whether it is honest mistake, as in this case, or an attempt to avoid their duties to you, you need to know your facts. Or, you need us on your side.

[return to top]

Risk Management News & Reports Archives

[return to top]