In late 2013 Cottage Health System, the operator of a network ofhospitals in Southern California, discovered that hackers hadstolen 32,500 patient records. Cottage was sued for $4.1 million,which was paid by the insurer, Columbia Casualty Company, asprovided by the policy.

Now, Columbia is suing Cottage for reimbursement, alleging thatCottage and its third-party vendor, INSYN Computer Solution, Inc.,stored medical records on a system that was fully accessible to theInternet but failed to install encryption or take other securitymeasures to protect patient information as required by thepolicy.

[Related: Best of the best: Now, in cyber]

"Insurers are denying coverage to companies that fail to takeeven the most obvious security measures. But many businesses don'tthink about security vulnerabilities with open source software,"says Mike Pittenger, vice president of product strategy for BlackDuck Software, Burlington, Mass., which helps companies safeguardand manage their use of such software.

Open source software is generally what we think of as "free"software developed by communities, for example, open SSL or MozillaFirefox, Pittenger explains. It's trusted enough that companies usemany of these open source libraries to provide the basicfunctionality that they need in an application. Then the companyprovides its own logic code to make the application work the waythe developer wants it to work. Even large developers likeMicrosoft may incorporate some open source software into theirproducts.

The problem comes in when open source software is updated orpatched, Pittenger says, but companies don't know that the code isburied in the commercial software they're using, which increasestheir data security risk. As a result, businesses are hiring BlackDuck Software, among others, to notify them when newvulnerabilities are discovered and to help them patch or update thesoftware.

Pittenger provides the following six tips for agents who want tohelp their clients minimize their software vulnerability.

(Photo: Shutterstock/ulegundo)

1. Meet minimum requirements for Cybercoverage

Pittenger notes that the minimum security requirements fromColumbia were what he characterizes as "basic hygiene." Forexample, Cottage was required to change the default password thatcame with its network firewall. If the software that Cottage wasusing issued a patch or update, Cottage was required install itwithin 60 days. However, Cottage, like many other organizations,outsourced its technology operations to a third party that didn'tmeet the minimum requirements of the policy. In addition, Cottagedidn't have the controls in place to ensure that requirements werebeing met, and consequently they were hacked.

"Cyber coverage requires due diligence on the part of theinsured," Pittenger points out, "and agents should be asking theirclients how well they're managing the risk of a data breach." At aminimum, most policies include a requirement to install patches asthey're issued by the software companies. Failure to install thepatches can lead to denial of coverage, as the Cottage casedemonstrates.

(Photo: Shutterstock/dencg)

2. Monitor continuously

If you're buying cyber coverage, you have to be aware of theminimum required standards, and understand that you're ultimatelyresponsible for the meeting those standards—even when you'veoutsourced data management, Pittenger says. Just signing a contractisn't enough, as Cottage learned. Its third-party vendor is toosmall to reimburse Columbia for the cost of the settlement, soCottage may have to repay the $4.1 million if it loses itscase.

Educating the buyers of cyber insurance as to their obligationsto meet the policy's minimum requirements to maintain thatinsurance is very important, Pittenger says. But before yourcompany can manage its risk, you need controls in place, and youneed to understand the vulnerabilities of your system.

Ongoing monitoring, which is more than just auditing yourtechnology operations once a year is key, Pittenger explains.Agents should explain to clients that the insurance company willmost likely do an audit—a snapshot in time of the security profileof the business—before issuing coverage, but the client isultimately responsible for monitoring.

Agents also should be aware that their small business clientsare especially vulnerable. "Smaller organizations often usepackaged software, and they outsource their IT management," notesPittenger, "so they don't have a security center that's doing anymonitoring—or they don't think about it."

(Photo: Shutterstock/dencg)

3. Understand the software that you'reusing

"Understand the software you're using, its security measures andvulnerabilities," Pittenger says. As a first step, know whatinformation you have, where it is at all times, and whatapplications control it so you can prioritize those applicationsecurity efforts.

Next, be sure you have policies and procedures to update thesoftware whenever updates are available—and that those policies andprocedures are followed correctly and promptly. If you're using athird party to manage your technology, ensure that the third partyhas policies and procedures in place as well. "You can outsourcethe operation but not the responsibility for the security,"Pittenger says.

(Photo: Shutterstock/Photo)

4. Know where your data is

"Small retailers or similar businesses often outsource PCI[payment card industry] compliance," Pittenger observes. "When yourdry cleaner swipes your credit card, the information often goes toa third party processor." Other small businesses may use a vendorlike Square or PayPal.

Agents should explain to clients that they still have primaryliability for the data, even though the outsourcing agreement mayinclude a requirement for the vendor to meet PCI securitystandards. "Advise your clients to be sure they're not storingcredit card numbers on any electronic devices or local computers"Pittenger says. Outsourced data is going "into the cloud," and itshould be encrypted in transit and at rest.

Businesses also should ask about the physical security at thedata storage center, as well as information security, he adds. Forexample, many data centers require a handprint to enter or onlyallow one person at a time to pass through the door.

(Photo: Shutterstock/Keith Bell)

5. Comply with federal and stateregulations

Depending on what kind of business you operate, Pittenger pointsout, you also may be responsible for compliance with state andfederal laws. In addition to the lawsuits by patients, Cottage isfacing an investigation by the California Department of Justice.The investigation will determine whether Cottage complied with itsobligations under HIPAA and any other pertinent state and federallaws and may potentially result in the imposition of fines,sanctions or penalties.

For agents whose clients include medical or dental offices,pharmacies, or other healthcare providers, it's important to remindthem that they must some level of controls in place to comply withHIPAA and other related laws, such as the Health InformationTechnology for Economic and Clinical Health (HITECH) Act.

[Related: State insurance regulators take action oncybersecurity issues]

(Photo: Shutterstock/baloon111)

6. Secure all devices including smartphones andtablets

"Remind your clients to consider handheld devices too,"Pittenger says. Understand how they connect to your corporatenetwork, and what data is stored on the device.

Many insurance professionals use mobile devices "on the road,"but those devices generally don't have the same level of securityas corporate laptops or desktops.

Selling cyber insurance coverage to small or mid-sizedbusinesses can be a great opportunity for agents and brokers. Italso provides them with opportunities to educate their clients,demonstrating the value they bring as business partners.

[Related: Cyber space: The new frontier]