In late 2013, Cottage Health System, the operator of a networkof hospitals in Southern California, discovered that hackers hadstolen 32,500 patient records.

Cottage was sued for $4.1 million, which was paid by theinsurer, Columbia Casualty Co., as provided by the policy.

Now, Columbia is suing Cottage for reimbursement, alleging thatCottage and its third-party vendor, INSYN Computer Solutions Inc.,stored medical records on a system that was fully accessible to theInternet because they failed to install encryption or take othersecurity measures as required by the policy terms.

Related: 4 big mistakes insureds make when choosing a Cyberclaims provider

"Insurers are denying coverage to companies that fail to takeeven the most obvious security measures. But many businesses don'tthink about security vulnerabilities with open-source software,"says Mike Pittenger, vice president of product strategy forBurlington, Mass.-based Black Duck Software, which helps companiessafeguard and manage their use of such tools.

Source of trouble

Open-source software is generally what we think of as "free"software developed by communities, such as open SSL or MozillaFirefox, Pittenger explains. It's trusted enough that companies usemany of these open-source libraries to provide the basicfunctionality that they need in an application. Then the companyprovides its own logic code to make the application work the waythe developer wants it to. Even large developers such as Microsoftmay incorporate some open-source tech into their products.

The problem comes in when open source software is updated orpatched, Pittenger says — but companies don't know that the code isburied in the commercial software they're using, which increasestheir data security risk. As a result, businesses are hiring BlackDuck Software and other similar vendors to notify them when newvulnerabilities are discovered, and to help them patch or updatethe software.

Pittenger provides the following six tips for agents who want tohelp their clients minimize their software vulnerability.

1. Comply with federal and stateregulations.

Depending on what kind of business your clients operate, theyalso may be responsible for compliance with state and federal laws,Pittenger points out. In addition to the lawsuits by patients,Cottage Health System is facing an investigation by the CaliforniaDepartment of Justice. The investigation will determine whetherCottage complied with its HIPAA obligations and any other pertinentstate and federal laws. Depending on the investigation, Cottage mayface fines, sanctions or penalties.

Agents whose clients include medical or dental offices,pharmacies, or other healthcare providers should always remind themthat they must have controls in place to comply with HIPAA statutesand other related laws such as the Health Information Technologyfor Economic and Clinical Health (HITECH) Act.

Related: Retail data breaches: 3 lessons companies havelearned

2. Secure all devices, including smartphones andtablets.

"Remind your clients to consider handheld devices," Pittengersays, and understand how they connect to corporate networks, andwhat data is stored on the device.

This advice doesn't just pertain to your clients: Many insuranceprofessionals use mobile devices while working remotely, but thosegenerally don't have the same level of security as corporatelaptops or desktops.

Related: Here are 25 tips to both prevent and manage a cyberattack

3. Know where your data is.

"Small retailers or similar businesses often outsource PCI[payment card industry] compliance," Pittenger observes. "When yourdry cleaner swipes your credit card, the information often goes toa third-party processor." Other small businesses may use a vendorlike Square or PayPal.

Agents should explain to clients that they still have primaryliability for the data, even though the outsourcing agreement mayinclude a requirement for the vendor to meet PCI securitystandards. "Advise your clients to be sure they're not storingcredit card numbers on any electronic devices or local computers,"Pittenger says. Outsourced data goes into the cloud, and it shouldbe encrypted in transit and at rest.

Businesses also should ask about the physical security at thedata storage center as well as information security, he adds. Forexample, many data centers require a handprint to enter or onlyallow one person at a time to pass through the door.

Related: The 10 most expensive data breaches todate

(Photo: Thinkstock)

4. Monitor continuously.

When a client purchases Cyber coverage, the policy must meet theminimum required standards. Educate your clients that they areultimately responsible for meeting those standards — even when theyhave outsourced their data management, says Pittenger. Just signinga contract isn't enough, as Cottage learned. Its third-party vendoris too small to reimburse Columbia for the cost of the settlement,so Cottage may have to repay $4.1 million if it loses its case.

Educating the buyers of Cyber insurance as to their obligationsin meeting the policy's minimum requirements to maintain thatinsurance is very important, Pittenger says. But before companiescan manage their risk, they need controls in place — and yourclients must understand the vulnerabilities of their systems.

Ongoing monitoring, which is more than just auditing technologyoperations once a year, is key, Pittenger explains. Agents shouldexplain to clients that the insurance company will most likely doan audit — a snapshot in time of the security profile of thebusiness — before issuing coverage, but that the client isresponsible for monitoring.

Agents also should be aware that their small-business clientsare especially vulnerable. "Smaller organizations often usepackaged software, and they outsource their IT management,"Pittenger notes, "so they don't have a security center that's doingany monitoring — or they don't think about it."

Related: Cyber insurance coverage, its value, limitationsand exclusions

(Photo: Thinkstock)

5. Practice more than the basic measures in networksecurity.

Pittenger notes that the minimum security requirements fromColumbia were what he characterizes as "basic hygiene." Forexample, Cottage was required to change the default password thatcame with its network firewall. If the software that Cottage wasusing issued a patch or update, Cottage was required install itwithin 60 days. However, Cottage, like many other organizations,outsourced its technology operations to a third party that didn'tfollow the policy's minimum requirements. In addition, Cottagedidn't have controls in place to ensure that requirements werebeing met, and consequently they were hacked.

"Cyber coverage requires due diligence on the part of theinsured," Pittenger points out, "and agents should be asking theirclients how well they're managing the risk of a data breach." At aminimum, most policies include a requirement to install patches asthey're issued by the software companies. Failure to install thepatches can lead to denial of coverage, as the Cottage casedemonstrates.

Related: Pentagon creates cyber security exchange programwith industry

(Photo: Shutterstock)

6. Understand the software that you'reusing.

Business clients must "Understand the software [they're] using,its security measures and vulnerabilities," Pittenger says. As afirst step, counsel them to know what information they have, whereit is at all times, and what applications control it. This willhelp your clients prioritize application security efforts.

Next, remind your clients to have policies and procedures toupdate the software whenever updates are available — and to ensurethat those policies and procedures are followed correctly andpromptly. If your clients use third parties to manage technology,have them stipulate that their third parties establish policies andprocedures as well. "You can outsource the operation, but not theresponsibility for the security," Pittenger adds.

Related: Meet the winner of NU's 2015 Excellence in CyberSecurity Risk Management Award

Are you following us on Facebook?

________________

How can you transform your risk management preparednessand response strategy into a competitive advantage?

Introducing ALM's cyberSecure — Atwo-day event designed to provide the insights and connectionsnecessary to implement a preparedness and response strategy thatchanges the conversation from financial risk to competitiveadvantage. Learnmore about how this inaugural event can help youreduce risk and add business value.