Healthcare-Industry.jpg?width=300News last week broke that a CNA Financial Corp. unit is seeking a judicial ruling that would waive its obligation to pay a $4.1 million settlement to Cottage Health System, on the grounds that the health system failed to meet the “minimum required practices” for cybersecurity risk management.

Cottage Health System, a Santa Barbara based non-profit organizations, suffered a breach of over 30,000 medical records in the fall of 2013. The breach was caused by a third party vendor that housed personal health information (PHI) and had not installed adequate security measures to safeguard the data.

According to the insurer’s complaint, the hospital system failed to “continuously implement the procedures and risk controls identified” in its insurance application. In other words, a gap existed between Cottage Health System’s obligations and its control environment, and as a result the organization may not qualify for millions of dollars in claims resulting from the breach.

Only a week following a ruling that Traveler’s Cos, Inc. is not obligated to defend a policy holder for a claim related to cyber insurance, organizations would be wise to consider the consequences of this trend on their risk management programs.  The hospital system now finds itself in a position where it’s necessary to prove the adequacy of its risk management processes in order to even access relief from its insurance policy. With more and more policies including risk management as a component of “minimum required practices,” organizations should consider more formalized documentation of their risks, controls, and testing procedures.

Risk managers seeking to build the business case for additional Risk Management Software should consider how the circumstances of the Cottage Health System could unfold in their own businesses. To what degree does your organization rely on insurance coverage to mitigate risk? How effectively are requirements of your insurance policies transmitted into actionable procedures? And finally, how well documented are your risk management practices should you find yourself in a position to demonstrate the adequacy of your program?

Enterprise Risk Management software can help organizations adhere to industry best practices related to cybersecurity. For more information, we invite you to download our annotated eBook on meeting the Cybersecurity guidelines published by the SEC.

Votes: 0
E-mail me when people leave their comments –

Steven Minsky, CEO and Founder of LogicManager, is a recognized thought leader in risk management. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts in January of 2020 and swiftly published action plans to help organizations prepare.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community


  • Great point, and a topic to be discussed at our 5th Enterprise Risk Management Conference this September! Join us to harness strategic methods for mitigating internal and external data breaches to strengthen cyber security.
    marcus evans north america conferences | 5th Annual Enterprise Risk Management Canada
    5th Annual Enterprise Risk Management Canada - marcus evans north american conferences, strategic business conferences and corporate marketing events
This reply was deleted.

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!