A major insurance carrier is attempting to rescind a cyber policy based on the client’s alleged misrepresentation of its digital security protocols. According to reports, Travelers recently sought a ruling in the U.S. District Court for the Central District of Illinois to rescind its Cyber and Privacy Liability Insurance policy with Illinois-based International Control Services because the company was not using multifactor authentication (MFA) despite assertions that it was.
While International Control Services did use MFA for some of its systems, the ransomware attack had targeted the company’s servers, which were not protected by MFA. The lawsuit contends that the policy should be declared null and void.
A lot of carriers are really concerned about their loss ratios. They are not looking for ways to get out, by any means, but they definitely want to prequalify certain clients that fit within their programs.
As prerequisites like using MFA become more common for Cyber and Privacy Liability Insurance policies, conflicts could continue to arise over potential misunderstandings or outright misrepresentations, said Derek Kilmer, Manager, Professional Liability, Burns & Wilcox, Detroit/Farmington Hills, Michigan.
“I do not think this is going to be the last time we see something like this, especially as companies are implementing new controls they might not have a ton of familiarity with,” Kilmer said. “A lot of carriers are really concerned about their loss ratios. They are not looking for ways to get out, by any means, but they definitely want to prequalify certain clients that fit within their programs.”
More insurance companies require multifactor authentication attestations
Studies have shown multifactor authentication to be incredibly effective, with Microsoft reporting in 2019 that the security measure can block over 99.9% of account compromise attacks. That may be changing over time, however, as hackers evolve their practices to get around it. In February, Slate reported that newer research from Google showed MFA reduced account compromises by 50%. While insurance carriers are likely to adapt their requirements to keep up with the latest security best practices, MFA remains a key safeguard for companies. “MFA is not the only way to protect yourself,” Kilmer emphasized. “It is the path of least resistance to implement, but not the only control we would recommend. We are getting more sophisticated from the security standpoint, but hackers are only getting better too. It is a constant back-and-forth and evolution in making sure our safeguards are up to date.”
These data security practices apply across the board for all industries and for all-size companies, where everyone needs to be aware of those practices and how to implement them.
With Cyber and Privacy Liability Insurance, the underwriting community is asking for more information and more questions with greater depth of detail,” said Karl Olson, Vice President, Professional & Management Liability Practice Leader, Burns & Wilcox Brokerage, San Francisco, California. “The necessity for companies to have these data security practices in place in order to secure cyber coverage is certainly there.”
Cyberliability underwriters have become well-versed in data and network security best practices, Olson said, and companies seeking coverage can expect that they implement and maintain certain practices such as multifactor authentication, endpoint detection and protection, encryption and backups, and that they demonstrate management involvement for cyber hygiene. “Otherwise, underwriters will move onto their next submission,” he said.
MFA is not the only way to protect yourself. It is the path of least resistance to implement, but not the only control we would recommend.
Qualifying for any level of coverage could require MFA implementation, Kilmer added, but it will almost certainly be required to access the best terms. “You are not going to get the Cadillac terms if you do not have MFA,” he said. “You should also have an email filtering solution, some type of endpoint detection and response, and you should be able to encrypt all of your networks and mobile devices.”
Some insurance carriers are helping companies fill security gaps, Olson added. “Cyber insurance providers are being more forthright in working with clients to implement some of these practices, keep them informed on improving their data security practices, and help them improve their risk profile,” he said, pointing to an overall trend toward Cyber and Privacy Liability Insurance carriers taking “a more consultative approach” in assisting companies. “They may have teams of experts to work with companies to implement MFA, for example, or send out an alert to proactively tell their clients to conduct certain software updates.”
Addressing misunderstandings vs. misrepresentation
It is important for companies to have all stakeholders involved in the attestation process; if the executives filling out a Cyber and Privacy Liability Insurance application are not those most familiar with their organization’s MFA practices, for instance, misunderstandings could arise. “They might be answering the question to their best intention, and that is where it gets gray,” Kilmer said. “It can be tough, in that case.”
Still, every commercial insurance policy placement is based upon a company’s representation of its risk, Olson said. “How that risk is conveyed and defined to the cyber marketplace is becoming more granular,” he said. “Even if they do not have a technical background, it is incumbent upon the applicant to engage the IT team and ask the appropriate questions so they can provide thorough and accurate information to the carrier. The depth of detail is greater than it used to be.”
Kilmer agreed, encouraging company leaders to have conversations with their teams about security protocols while completing any insurance applications. “The insurance broker also plays a more vital role than they have in the past,” he said. “Misrepresentation puts more of the ownership on the applicant, but there is also the avenue of the broker’s part as far as whether or not they are pushing into a certain market that may not fit the risk.”
Strong security protocols needed amid more frequent, severe losses
An increase in cyberattacks and worsening loss severity have created a more challenging market for Cyber and Privacy Liability Insurance, which can provide immediate resources in the event of a data breach and cover costs such as notification, investigation, data recovery and potential ransom demands.
The number of reported data breaches in the U.S. grew 10% in 2021, Security Magazine reported earlier this year. Cyberattacks have also escalated in Canada, where legislation is being proposed that would require companies in certain industries to report cyberattacks to the federal government and bolster their cybersecurity efforts, according to a Reuters article published in June. In the health care industry, which has been particularly hard hit, data breaches cost an average of $10.1 million each, Fierce Healthcare reported in July.
“The availability of cyber coverage is just not there for companies that do not have full MFA and most or all of the data security practices that underwriters need to see,” Olson said. “These data security practices apply across the board for all industries and for all-size companies, where everyone needs to be aware of those practices and how to implement them.”
The cost of implementing those actions is minor compared to the impact of facing a data breach without Cyber and Privacy Liability Insurance, Kilmer said. ”Business owners cannot go without cyber liability protection both from an insurance and a security team standpoint. Not having both in place could cause great financial harm, jeopardizing their business’s longevity. Now is not the time to cut corners in cyber security.”