A voided lawsuit from a cyber insurance carrier claiming its customer misled it on its insurance application could potentially pave the way to change how underwriters evaluate self-attestation claims on insurance applications.
The case — Travelers Property Casualty Company of America v. International Control Services Inc. (ICS) — hinged on ICS claiming it had multifactor authentication (MFA) in place when the electronics manufacturer applied for a policy. In May the company experienced a ransomware attack. Forensics investigators determined there was no MFA in place, so Travelers asserted it should not be liable for the claim.
The case (No. 22-cv-2145) was filed in the U.S. District Court for the Central District of Illinois on July 6. At the end of August, the litigants agreed to void the contract, ending ICS's efforts to have its insurer cover its losses.
This case was unusual in that Travelers maintained the misrepresentation "materially affected the acceptance of the risk and/or the hazard assumed by Travelers" in the court filing.
Taking a client to court is a departure from other similar cases where an insurance company simply denied the claim, but it is hardly unique, said Scott Godes, a partner at Barnes & Thornburg LLP, a Washington, D.C.-based law firm.
"I have seen this issue bubbling up over the last few years. From my perspective, insurance carriers have made this a hard market — raising premiums and lowering limits — and that has emboldened them to choose the nuclear option by rescinding coverage," Godes says.
Security should be proactive, stopping possible breaches before they occur rather than simply responding to each successful attack, notes Sean O'Brien, visiting fellow at the Information Society Project at Yale Law School and the founder of Privacy Lab at Yale Law School.
"The insurance industry is likely to become more and more persnickety as cybersecurity claims rise, defending their bottom line and avoiding reimbursement wherever possible," O'Brien says. "This has always been the role of insurance adjusters, of course, and their business is in many ways adversarial to your organization's interests after the dust settles from a cyberattack."
That said, organizations should not expect a payout for poor cybersecurity policies and practices, he notes.
While the Travelers case was specifically about the single MFA security control, insurance companies might modify their underwriters' reliance on self-attestation without some type of third-party verification on other security controls going forward, notes Jess Burn, a senior analyst at Forrester Research.
"The lawsuits and the rescinding of coverage, the calling out of the insured and the policyholders on little fibs that they told, or omission of details around how they're protected in their secure practices" appear to be an emerging trend, Burn says.
One option to eliminate any questions about whether a company is implementing security controls is to provide verified support, she adds. Even if the transparency is not required, providing third-party verification that controls are in place for MFA, third-party risk management, endpoint detection, or any of the myriad of security controls should eliminate any misunderstanding or concerns in advance of the policy being issued.
Evolving Cyber Insurance
While technology and security implementations change over time, cyber insurance companies reevaluate their underwriting controls annually, notes Marc Schein, national co-chair at the Cyber Center for Excellence at Marsh McLennan Agency, the world's largest insurance broker. Unlike common casualty insurance policies, which have a very extensive statistical history for underwriters, cyber insurance is still considered a nascent field and underwriters are still perfecting their algorithms and analysis to best price risk.
One area where underwriters rely heavily on self-attestation from companies concerning their risk profile is controls: what controls they have in place, how well they were configured, and their effectiveness. At times, Schein continued, an underwriter might require an insurance prospect to undergo evaluations such as a penetration test. Should the test come back with a significantly different result than anticipated — for example, if 100 ports are open that the prospect said were closed — the insurance company likely would have a discussion about those open ports, as well as other attestations, to determine whether the company was deliberately trying to hide a problem or whether there was an accidental error.
CISOs are reluctant to answer questions on applications that might lead the underwriter to require significant investments to mitigate the problem before insurance is approved, says Schein. If a company indicates it plans to invest in the mitigation efforts but the project is not expected to be completed until after the date the insurance becomes effective, the insurer might compromise by binding the application but limiting the actual coverage to a percentage of the policy's limits — perhaps 10% of a policy's $1 million coverage limit — until such time as the remediation efforts are complete.
"It's remarkable that insurance carriers refuse to test, inspect, or engage in loss control when underwriting," attorney Godes notes. "Maybe they believe that they can just pull the rug out from underneath unaware policyholders, relying on rescission to avoid covering risks that the insurers could have inspected on their own."
Godes is not sold on the idea that cyber insurers are simply readjusting their underwriting procedures. "The industry is making it more and more challenging to respond to their applications," he notes, "and there continues to be vagaries in the applications."
"In my experience," he says, "the only investigation [by cyber insurers] is an effort to figure out how the carrier can rescind coverage, or threaten to do so, rather than figure out if the claim is covered and how it should be settled."