With cyber insurance claims booming, insurers are intently examining whether they can cancel cyber policies after claims have been filed. To do this, they scour through application documents searching for potential false statements.
Business owners are understandably anxious when buying cyber insurance. The insurers write their own policies rather than using a standard form. Broad grants of coverage are whittled away through policy definitions, limitations, exclusions, and endorsements. And now insurers are trying to use the application documents, which ask detailed questions about your organization’s processes and procedures to protect your data, as a back door to try and escape their coverage obligations in response to high dollar claims.
Cyber insurance claims are growing. According to Experian, in 2021, almost half of all organizations experienced a ransomware attack, and nearly half of the ransoms paid were for $100,000 or more. Experian reported that the average total cost for a ransomware breach was $4.62 million. A company’s decision to pay a ransom becomes much more understandable after the business has been without its data for two or three weeks, especially when backups needed to get the business up and running are not as robust as first expected.
One example, in July 2022, Travelers filed a lawsuit in federal court in central Illinois to rescind a cyber insurance policy issued to a 150-employee company called International Control Services, Inc. (ICS). ICS is an electronics manufacturing services company that serves various industries including medical, network and communications, agricultural, and aerospace and defense.
According to Travelers’ complaint, when ICS applied for the cyber policy, it was specifically asked about its use of multifactor authentication. Multifactor authentication requires a user to provide two or more verification factors to gain access to a resource. An example of multifactor authentication would be having login credentials (something you know) and having a phone to receive a text message with a passcode (something you have) to gain access.
After ICS reported to Travelers that it had been victimized by a ransomware attack and would be pursuing a claim under its cyber policy that had $1 million in coverage, Travelers investigated the method of attack and examined ICS’s policy application documents to determine if there were any grounds to rescind the policy. Like most states, Illinois law allows an insurer to void a policy where an applicant gives a false answer with actual intent to deceive, or the false answer materially affects either the acceptance of the risk or the hazard assumed by the company.
Travelers investigated the attack and determined that the intruders gained access to ICS’s servers to install the ransomware. Travelers next determined that ICS was not using multifactor authentication a few months earlier when it applied for the policy, nor at the time of the attack.
Travelers then turned to the application documents. It noted that ICS answered “yes” to the application question, “Indicate whether the Applicant requires multi-factor authentication for administrative or privileged access?” Travelers interpreted ICS’s answer as a representation that ICS used multifactor authentication to protect its servers. Travelers claims it would not have issued ICS the cyber policy if it had been told that ICS was not using multifactor authentication to protect its servers. Still, Travelers may have a difficult time trying to convince a jury that an ordinary person of average intelligence would conclude that Travelers’ question was aimed at ICS’s use of multifactor authentication to protect its servers, especially since the question never used the word “server.”
Together with the application, Travelers required ICS to also submit a multifactor authentication attestation. Under the attestation, ICS answered “yes” to whether multifactor authentication was required for “All internal & remote admin access to organization’s endpoints/servers.” While this question specifically asks about using multifactor authentication to protect servers, there are different types of multifactor authentication. Knowing the login credentials and having a security badge to access the server room to work on the server would be multifactor authentication. The login credentials would be something you know. The security badge would be something you have, just like having a phone that receives a text message with a code. If an employee had to use multifactor authentication to log onto ICS’s system remotely, a jury could also conclude that remote access required multifactor authentication.
Finally, Travelers may be unable to benefit from the Illinois law at issue. Travelers filed the application and attestation as exhibits to its complaint. The signature block for both requires the company representative to certify the accuracy of the answers based on the representative’s knowledge and belief. Under Illinois law, when an insurer chooses to shift the focus of the statements, from their truth or falsity to whether the applicant believed them to be true based on what he or she knew or believed, the applicant’s answer must be assessed in light of his or her actual knowledge and belief. Golden Rule Ins. Co. v. Schwartz, 203 Ill.2d 456, 465-66 (2003). In other words, Travelers can no longer rely on the statute but must prove the applicant knew and believed the representations were false.
Buying cyber insurance for your business can be tricky. Most people want to identify any potential issues before they buy a policy rather than after a claim has been filed and the insurer threatens to file a lawsuit to disclaim coverage. You may want to speak with a lawyer to guide you through the application process. Someone familiar with the risks and loss exposures of cyberattacks, the insurance policy provisions to be on the alert for, the grounds that cyber insurers are trying to use to avoid their coverage obligations, and the arguments in favor of coverage.