As I predicted (which did not require a large amount of clairvoyance) after the Cottage Health fiasco, insurance companies prefer to deposit premium checks and have begun to fight cyber insurance claims. Since most people don’t read their insurance policies and even fewer make sure that they are in compliance with the terms of the policy, this is kind of like taking candy from a baby – an unfair fight.
In the Cottage Health case, Cottage was breached and their cyber insurance carrier, a division of CNA, paid the $4 million claim. CNA later said that Cottage was not in compliance with the terms of their policy even though the insurance carrier initially paid the $4 million claim, and is suing to get their money, legal fees and other costs back. That suit is currently withdrawn pending back room negotiations between the two parties.
There are now two new lawsuits.
Ameriforge Group is suing Chubb because they were suckered into a business email compromise (where a hacker convinces someone in the company to wire money to some place because of a secret deal the CEO is working on or whatever). Chubb says that the policy covers fraud (where someone writes a bogus check or wire, for example), but in this case, an authorized employee got suckered and, sorry to be impolite, there is no sucker coverage in the policy. In this case the loss was around $500,000.
The second case is similar.
Earlier last year, Chubb was sued by Medidata Solutions after it was suckered out of about $5,000,000 in a similar “super secret” deal. Even though in this case, the company said there was some hacking involved, Chubb said the employee voluntarily sent the money, so no coverage.
The moral in this story is that companies need to understand what coverage they have and what coverage they do not have. Cyber risk insurance is not a standard form of insurance, so policy coverages vary significantly.
And, as Cottage Health discovered, even if you have coverage you have to make sure that you follow the rules if you want to get paid.
Information for this post came from Krebs on Security.