The Expert Podcast

This is a big wake-up call for companies that have or want to get cyber liability insurance. Part of what will be required of you as an insured company is that if they give you cyber insurance or cyber liability protection insurance, you're going to have to follow certain guidelines of keeping your system updated and using proper procedures. They’re going to give you some requirements of what your company has to do to keep that coverage, and they’re very serious about it. Here’s an example of where a claim was denied or the insurance company tried to deny the insurance contract because the insured didn’t follow basic practices of protecting their system.

They had a loss — they were the subject of a hack and lost money. They put in a claim, and the insurance company said, “Well, you didn’t follow our requirements.” One of the requirements was MFA, multi-factor authentication. That’s the system, as you probably already know, when you go to log in to a bank, for example. They send you a text message with a code number that you have to put in in order to get in. It’s multi-factor authentication — not just a password, you also have to put in a code number.

The company said in their application, “We have that, we will use it, it’s enabled in our system,” but it turned out they didn’t use the multi-factor authentication. Because of that, the insurance company is rescinding the policy or trying to rescind the policy because allegedly the company didn’t do what they said they were doing.

So what they’re asking the court is to say, “Undo the policy. We would not have issued the policy at all if we knew that the company was not using multi-factor authentication as it said.” The company said in their application they were using 2FA or MFA, whatever you want to call it, and their cyber application policy, signed by the CEO and another person, said that the company used MFA for administrative and privileged access. They signed the application saying that.

However, following the ransomware event, the insurance company Travelers learned during investigation that the company wasn’t using MFA on its server. They only used MFA to protect a firewall and did not use it to protect other assets. So this is a loophole, you might call it. Well, this is an insurance company trying to weasel out of a claim, trying to escape paying a claim — which maybe that’s true. But if you make a representation on an insurance contract, you have to abide by it.

The bigger takeaway is if you have a cyber liability policy and the company tells you, “Here’s the things that you need to do to protect yourself,” go ahead and do them. Who knows, had they been using multi-factor authentication, they might not have had the loss in the first place and wouldn’t have had to put in a claim and worry about it getting rejected. So why not use it? It’s a very simple thing to do. Is it inconvenient to have to type in a password every time? Sure, it is. But it would keep you from having the ransomware event in the first place and it would keep you from having to fight with your insurance company.

If you use it like any other statement, anything you put on your application is presumed to be true. If you put down “We’re doing this” and you don’t, it’s called a misrepresentation, omission, or constructive facts — all of which materially affect the acceptance of risk. So before the insurance company says, “We’ll take on your risk,” they’re going to use your statements as representations of what their risk is.

This event happened in 2020, two years ago — almost a year and a half ago — and hackers gained access to the username and password of the administrator, and they were able to log in because there was no multi-factor authentication. Travelers wants the court to declare the insurance contract null and void, rescind the policy, and declare they have no duty to pay the claim.

What are your thoughts on this if you’re an insurance company? If you are an insured, if you are a company that has coverage or not, tell us what you think about this event happening and how you would handle it if you were a company.

Make sure that you get good descriptions of what your requirements are from your insurer before you take on any kind of insurance — much less cyber liability insurance.