ERM Can Save Millions: Cybersecurity Case Study

News last week broke that a CNA Financial Corp. unit is seeking a judicial ruling that would waive its obligation to pay a $4.1 million settlement to Cottage Health System, on the grounds that the health system failed to meet the “minimum required practices” for cybersecurity risk management.

Cottage Health System, a Santa Barbara based non-profit organization, suffered a breach of over 30,000 medical records in the fall of 2013. The breach was caused by a third party vendor that housed personal health information (PHI) and had not installed adequate security measures to safeguard the data.

According to the insurer’s complaint, the hospital system failed to “continuously implement the procedures and risk controls identified” in its insurance application. In other words, a gap existed between Cottage Health System’s obligations and its control environment, and as a result the organization may not qualify for millions of dollars in claims resulting from the breach.

Only a week following a ruling that Traveler’s Cos, Inc. is not obligated to defend a policy holder for a claim related to cyber insurance, organizations would be wise to consider the consequences of this trend on their risk management programs.  The hospital system now finds itself in a position where it’s necessary to prove the adequacy of its risk management processes in order to even access relief from its insurance policy. With more and more policies including risk management as a component of “minimum required practices,” organizations should consider more formalized documentation of their risks, controls, and testing procedures.

Risk managers seeking to build the business case for additional Risk Management Software should consider how the circumstances of the Cottage Health System could unfold in their own businesses. To what degree does your organization rely on insurance coverage to mitigate risk? How effectively are requirements of your insurance policies transmitted into actionable procedures? And finally, how well documented are your risk management practices should you find yourself in a position to demonstrate the adequacy of your program?