Cyber, Cyber, Cyber – it is the broken record in the insurance world spanning the past several years and frankly, industry professionals do not see an end in sight. Most consumers have learned more about MFA (Multi Factor Authentication) and endpoints than we ever cared about and taxed our IT (Information Technology) departments to stay ahead of the privacy and security curve.
Security Breaches are Significant Threats
According to a recent survey performed by Tech.co., 63% of small businesses view security breaches as a significant threat to their business’ growth. With Cyberattacks on the rise and ransomware attacks likely to cripple companies that haven’t prepared, now is the time to review your Cyber and Security practices and ensure you have taken all steps to properly insulate yourself from this growing concern.
The Cyber marketplace has continued to offer rising costs, ever-changing underwriting requirements, and newly filed non-standard policy forms. As part of the new and renewal cyber insurance process, applications must be prepared and become warranties of policy coverage. It is imperative that these applications be fully and accurately completed for coverage to apply.
Cyber In The Courts
Recent litigation filed in a district court is bringing this situation to life. In Travelers Property Casualty Co of America v International Control Services Inc.. No 22-cv-2145 filed July 6, 2022, in U.S. District Court for Central District of Illinois, Travelers alleged that ICS submitted an application which was executed by the CEO for coverage in March alleging full MFA compliance including administrative and privileged access.
ICS had previously suffered a ransomware attack in December of 2020 and represented that they had made significant security improvements required by the insurer when applying for Cyber risk coverages. In May, the insured experienced a ransomware event where hackers gained access to the server and unleashed a virus called Zeon. During the routine investigation of the incident, it became apparent that the insured was not using the security control to protect the server or any other digital asset, only the firewall.
Therefore, Travelers has alleged that statements made in the application were “misrepresentations, omissions, concealment of facts, and incorrect statements” all of which “materially affected the acceptance of the risk and/or the hazard assumed by Travelers.”
As are many carriers, Travelers requires that policyholders protect digital assets with MFA, whereby a user seeking to access the company computer network, email, or other programs must pass through two or more tests to verify their identity. Travelers requires a separate MFA Attestation as part of the policy application process to confirm adherence to the MFA requirement.
According to a year-long study conducted by Google, New York University, and the University of California, San Diego, MFA blocked 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks on users’ Google accounts. The U.S. Cybersecurity & Infrastructure Security Agency declared that businesses should implement MFA “across all networks, systems, and applications.”
Not only can using MFA help prevent a breach, but using MFA to the full extent required will ensure that policyholders actually have the coverage they are depending on to respond to the breach. Armed with this data, many insurers are requiring full MFA compliance to offer an option for coverage.
Travelers is asking the District Court to rescind the policy fully and declare that ICS is unable to turn to the policy for coverage for the ransomware attack. In general, insurers can rescind an insurance policy if a material misrepresentation or concealment of facts was made even if the policyholder did not intend to deceive the insurer. The burden lies in whether the misrepresentation was material in nature. That is determined by defining if in knowing the truth, the carrier would have not issued the policy. Travelers has the burden of proving these allegations in order to succeed in court.
Review Your Cyber Coverage
May this case serve as a subtle reminder that policyholders must carefully review applications prepared for new and renewal cyber coverage to ensure the accuracy and information provided and ensure that the security controls warranted meet the minimum standards the carrier requires. Your team of professionals at Sentinel can offer recommended vendors or resources to help policyholders implement needed security controls. Contact us today to learn how to further Safeguard Your Success.