Businesses Were Denied Cyber Insurance Payouts Three Times

By Samudra Vijay In Blog



Businesses Were Denied Cyber Insurance Payouts Three Times

Cyber insurance is a type of insurance that protects businesses against financial losses caused by a cyberattack. While it is a necessary tool for businesses of all sizes, there are a few things you should know before purchasing a policy.

Simply having cyber insurance does not guarantee you a payout in the event of an incident. This is because you may not have adequate coverage for certain types of cyberattacks, or you may have violated your policy’s security requirements. As a result, it is critical to thoroughly review your policy to ensure that your company is adequately protected.

Learn from history

Here are three real-world examples of cyber insurance claims that were denied:

Columbia Casualty vs. Cottage Health

The problem was caused by a data breach at Cottage Health System. They notified Columbia Casualty Company, their cyber insurer, and filed a claim for coverage.

Columbia Casualty, on the other hand, sought a declaratory judgment against Cottage Health, claiming that they were not required to defend or compensate Cottage Health because the insured did not follow the terms of their policy. Cottage Health agreed to maintain specific minimum risk controls as a condition of their coverage, which they then failed to do, according to Columbia Casualty.

This case emphasizes the importance of organizations reading their cyber policy, understanding what it contains, and adhering to its terms.

Massachusetts Bay Insurance Company vs. BitPay

BitPay, a leading global cryptocurrency payment service provider, filed an insurance claim for $1.8 million, which Massachusetts Bay Insurance Company denied. A phishing scam in which a hacker broke into the network of BitPay’s business partner, stole the credentials of BitPay’s CFO, pretended to be the CFO of BitPay, and requested the transfer of more than 5,000 bitcoins to a fake account caused the loss.

In its denial, Massachusetts Bay Insurance stated that BitPay’s loss was indirect and thus not covered by the policy. According to Massachusetts Bay Insurance, having a business partner phished does not count under the policy.

Although BitPay has filed an appeal, this case highlights the importance of carefully reviewing insurance policies to ensure you understand what scenarios are covered. This

incident also emphasizes the importance of employee security awareness training and the need to contact an IT service provider if you do not have a regular training policy in place.

Travelers Property Casualty Company vs. International Control Services

Travelers Property Casualty Company asked a district court to dismiss International Control Services’ claim of a ransomware attack. International Control Services, according to the company, failed to effectively use multifactor authentication (MFA), which was required to obtain cyber insurance. MFA is a type of authentication that employs multiple factors to validate a user’s identity.

According to Travelers Property Casualty Company, International Control Services falsely stated on its policy application materials that MFA is required for employees and third parties to access email, log into the network remotely, and access endpoints, servers, and so on. They claimed that International Control Services only used the MFA protocol on its firewall and that access to its other systems, including the servers targeted by the ransomware attack, was not protected by MFA.

This case serves as a reminder that insurers are increasingly scrutinizing companies’ cybersecurity practices when underwriting policies, and that companies must be honest about their cybersecurity posture.

Travelers Property Casualty Company has requested that the court declare the insurance contract null and void, cancel the policy, and declare that it has no obligation to reimburse or defend International Control Services for any claim.

Do not be late in acting.

As previously stated, there are a variety of reasons why businesses may be denied payouts under their cyber insurance policies. It could also be the result of a naive error, such as misinterpreting difficult-to-understand insurance jargon. In some cases, businesses may practice poor cybersecurity hygiene.

An IT service provider can assist you in avoiding these issues by assessing your risks and developing a comprehensive cybersecurity plan with you. Please contact us for a no-obligation consultation.

Download our infographic titled “What Every Small Business Needs to Know About Cyber Insurance” by clicking here to learn more about cyber insurance.