We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

ERM Can Save Millions: Cybersecurity Case Study

Vote 0 Votes

Healthcare IndustryNews last week broke that a CNA Financial Corp. unit is seeking a judicial ruling that would waive its obligation to pay a $4.1 million settlement to Cottage Health System, on the grounds that the health system failed to meet the "minimum required practices" for cybersecurity risk management.

Cottage Health System, a Santa Barbara based non-profit organizations, suffered a breach of over 30,000 medical records in the fall of 2013. The breach was caused by a third party vendor that housed personal health information (PHI) and had not installed adequate security measures to safeguard the data.

According to the insurer's complaint, the hospital system failed to "continuously implement the procedures and risk controls identified" in its insurance application. In other words, a gap existed between Cottage Health System's obligations and its control environment, and as a result the organization may not qualify for millions of dollars in claims resulting from the breach.

Only a week following a ruling that Traveler's Cos, Inc. is not obligated to defend a policy holder for a claim related to cyber insurance, organizations would be wise to consider the consequences of this trend on their risk management programs.  The hospital system now finds itself in a position where it's necessary to prove the adequacy of its risk management processes in order to even access relief from its insurance policy. With more and more policies including risk management as a component of "minimum required practices," organizations should consider more formalized documentation of their risks, controls, and testing procedures.

Risk managers seeking to build the business case for additional Risk Management Software should consider how the circumstances of the Cottage Health System could unfold in their own businesses. To what degree does your organization rely on insurance coverage to mitigate risk? How effectively are requirements of your insurance policies transmitted into actionable procedures? And finally, how well documented are your risk management practices should you find yourself in a position to demonstrate the adequacy of your program?

Enterprise Risk Management software can help organizations adhere to industry best practices related to cybersecurity. For more information, we invite you to download our annotated eBook on meeting the Cybersecurity guidelines published by the SEC.

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives