Skip to main content

Don't Believe Cyber Insurance Myths

Three Crucial Lessons from Denied Cyber Insurance Payouts

Securing cyber insurance has become a cardinal rule for businesses operating in the digital age. Yet, it's essential to recognize that possessing cyber insurance does not necessarily assure a payout following a cyberattack. It's a pivotal tool for businesses but there are certain intricate details that need careful attention.

Payouts can be denied due to inadequate coverage for specific cyberattacks or non-compliance with the policy's security requirements. The success of your cyber insurance claim depends on a comprehensive understanding of your policy and diligent adherence to its stipulations. Let's demystify this with three notable instances where businesses were denied cyber insurance payouts.

1. Unveiling the Complexity:

Cottage Health vs. Columbia Casualty: During the autumn of 2013, Cottage Health System fell prey to a data breach that compromised the confidentiality of approximately 32,500 medical records and promptly filed a claim with their cyber insurer, Columbia Casualty Company. However, Columbia asserted that they weren't obliged to cover Cottage Health's losses, citing non-compliance with the policy's risk control conditions. This case underscores the necessity of comprehending and complying with your policy’s terms for a successful claim.

2. The Cost of Indirect Losses:

BitPay vs. Massachusetts Bay Insurance Company: BitPay, a global cryptocurrency payment service provider, experienced a financial blow when a phishing scam led to the fraudulent transfer of more than 5,000 bitcoins. The credentials of BitPay’s CFO was used to break into the network of BitPay’s business partner. Despite filing a $1.8 million insurance claim, Massachusetts Bay Insurance Company declined it, arguing the loss was indirect since the policy did not cover having a business partner phished and therefore the claim was outside of the policy's purview.

As BitPay battles the denial, the case serves as a stark reminder for businesses to thoroughly review policies and ensure comprehension of covered scenarios. It also spotlights the significance of regular employee security awareness training to prevent similar incidents.

3. The Importance of Authenticity:

International Control Services vs. Travelers Property Casualty Company: In an ongoing dispute, Travelers Property Casualty Company petitioned a district court to dismiss a ransomware claim by International Control Services, alleging the latter did not appropriately implement multifactor authentication (MFA) – a crucial prerequisite for cyber insurance. The insurer argues International Control Services only used MFA on its firewall, leaving other systems exposed, contrary to their policy application claims.

This case highlights the rising vigilance of insurers scrutinizing businesses' cybersecurity protocols during underwriting and underscores the need for businesses to be truthful about their cybersecurity measures. As a result, Travelers Property Casualty Company is seeking to have the insurance contract invalidated and to be released from any obligation to defend or reimburse International Control Services for any claims.

The Path Forward: Act Now and Act Wisely

From misinterpreting complex insurance jargon to neglecting cybersecurity hygiene, various factors can lead to denial of cyber insurance payouts. To circumvent these pitfalls, it is recommended to engage with a knowledgeable IT service provider to assess your risks and architect a robust cybersecurity plan. Reach out today for a no-obligation consultation and secure your business's future in the cyber world.


About the author

Erik V. Castle