An invalidity lawsuit by a cyber insurer alleging its customer misled it on its insurance application could potentially pave the way for changing how insurers assess self-verification requirements on insurance applications.
The case – Travelers Property Casualty Company of America v. International Control Services Inc. (ICS)—affiliated with ICS and claimed it had multi-factor authentication (MFA) when the electronics manufacturer applied for a policy. In May, the company experienced a ransomware attack. Forensic investigators determined there was no MFA in place, so Travelers argued it should not be liable for the claim.
The case (No. 22-cv-2145) was filed in the U.S. District Court for the Central District of Illinois on July 6. In late August, the parties agreed to cancel the contract, ending ICS’ efforts to have its insurance company cover its losses.
This case was unusual in that the travelers maintained that the misrepresentation “substantially affected the acceptance of the risk and/or danger assumed by the travelers” in the lawsuit.
Taking a client to court is a departure from other similar cases where an insurer simply denied the claim, but it is hardly unique, said Scott Godes, a partner at Barnes & Thornburg LLP, a Washington, DC-based law firm.
“I’ve seen this issue bubble up over the last couple of years. From my perspective, insurance companies have made this a tough market — raising premiums and lowering limits — and that’s encouraged them to go for the nuclear option by dropping coverage ,” says Godes.
Security should be proactive and stop potential breaches before they occur, rather than simply reacting to every successful attack, notes Sean O’Brien, visiting fellow at the Information Society Project at Yale Law School and the founder of the Privacy Lab at Yale Law School .
“The insurance industry is likely to become increasingly concerned as cyber security demands increase, defending their bottom line and avoiding reimbursement where possible,” says O’Brien. “This, of course, has always been the role of insurance adjusters, and their business is in many ways antithetical to your organization’s interests after the dust settles from a cyber attack.”
That said, organizations shouldn’t expect a payoff for poor cybersecurity policies and practices, he notes.
While the Travelers case was specifically about the single MFA security check, insurers may change their insurers’ reliance on self-attestation without some form of third-party verification of other security controls going forward, notes Jess Burn, senior analyst at Forrester Research.
“The lawsuits and the rescinding of coverage, the calling of the insured and the policyholders on little fibs that they told, or the omission of details about how they are protected in their safe practices” seems to be a new trend, says Burn.
One option to remove any questions about whether a company is implementing security controls is to provide verified support, she adds. Even if the transparency is not required, third-party verification that controls are in place for MFA, third-party risk management, endpoint detection, or one of the myriad security controls should eliminate any misunderstanding or concern before the policy is issued.
Cyber insurance in development
While technology and security implementations change over time, cyber insurers reevaluate their insurance controls annually, notes Marc Schein, national co-chair of the Cyber Center for Excellence at the Marsh McLennan Agency, the world’s largest insurance broker. Unlike general casualty insurance, which has a very extensive statistical history for insurance companies, cyber insurance is still considered a nascent field, and insurance companies are still perfecting their algorithms and analytics to best price risk.
One area where insurers rely heavily on self-certification from companies regarding their risk profile is controls: what controls they have in place, how well they were configured and their effectiveness. At times, Schein continued, an underwriter may require an insurance prospect to undergo evaluations such as a penetration test. Should the test come back with a significantly different result than expected—for example, if 100 ports are open that the prospectus said were closed—the insurer would likely have a discussion of those open ports, as well as other evidence, to determine whether the company deliberately attempted to hide a problem or if there was an accidental error.
CISOs are reluctant to answer questions about applications that may require the underwriter to make significant investments to mitigate the problem before the insurance is approved, Schein says. If a company indicates that it plans to invest in the mitigation effort, but the project is not expected to be completed until after the effective date of the policy, the insurer may compromise by tying the application but limiting the actual coverage to a percentage of policy limits — perhaps 10% of a policy’s $1 million coverage limit — until remedial efforts are complete.
“It is remarkable that insurance companies refuse to test, inspect or engage in loss control when underwriting,” notes Attorney Godes. “Maybe they think they can just pull the rug out from under unwitting policyholders, relying on termination to avoid covering risks that insurers could have inspected on their own.”
Godes isn’t sold on the idea that cyber insurers are simply adjusting their underwriting procedures. “The industry is making it more and more challenging to respond to their applications,” he notes, “and applications continue to be capricious.”
“In my experience,” he says, “the only study [by cyber insurers] is an attempt to find out how the carrier can cancel coverage or threaten to do so rather than to find out whether the claim is covered and how it should be determined.”