This is a big wake-up call for companies that have or want to get cyber liability insurance.
So part of what will be required of you as an insured as a company is that if they give you cyber insurance or cyber liability protection insurance, you’re going to have to follow certain guidelines of keeping your system updated using proper procedures.
They’re going to give you some requirements of what your company has to do to keep that coverage. And they’re very serious about it. Here’s an example of where a claim was denied or the insurance company is trying to deny the insurance contract because the insured didn’t follow basic practices of protecting their system and they had a loss. They had a claim where they were a subject of a hack and they lost money they put in a claim and the insurance company said: “well, you didn’t follow our requirements And one of the requirements was MFA Multi-factor authentication.” So that’s the system as you probably already know when you go to log in, to a bank let’s say, they send you a text message with a code number that you have to put in in order to get into its multifactor authentication, not just a password. You also have to put in a code number
The company said in their application, we have that we will use it It’s enabled in our system, but it turns out that they didn’t use it. The company didn’t use multi-factor authentication. So because of that, the insurance company is rescinding the policy. Or trying to rescind the policy. Because allegedly the company didn’t do what they said they were doing. So what they’re asking the court Is to undo the policy they said: “We would not have issued the policy at all if we knew that the company was not using multi-factor authentication as it said.” So the company said in their application, we’re using 2FA or MFA whatever you want to call it. And their cyber application policy was signed by the CA CEO and another person. Said that the company used MFA for administrative and privileged access. They sign the application saying that.
However, following the ransomware event, the insurance company travelers learned during the investigation that the company wasn’t using that on a server. They only used MFA to protect a firewall and did not use it to protect other assets. So this is a loophole you might call it. Well, this is insurance company trying to weasel out of a claim, trying to escape a claim which maybe that’s true. But if you make a representation on an insurance contract you have to abide by the bigger takeaway.
If you have a cyber liability policy and the company tells you, “here are the things that you need to do to protect yourself” go ahead and do them.
Who knows had they been using multifactor authentication they might’ve not had the loss in the first place and they wouldn’t have to put in a claim and worry about it getting rejected. So why not use it It’s a very simple thing to do. Is it inconvenient to have to type in a password every time, sure It is right? But it would keep you from having the ransomware event in the first place. And it would keep you from having to fight with your insurance company. If you use it, like any other statement, anything you put on your application is presumed to be true And if you put down we’re doing this and you don’t it’s called a misrepresentation omission or consumption of facts, all of which materially affect the acceptance of risk.
So before the insurance company says we’ll take on your risk they’re gonna use your statements as representations of what their risk is. And this event happened in 2020 This is two years ago, almost a year and a half ago. The hackers gained access to the username and password of the administrator and they were able to log in because there was no multi-factor authentication. Travelers wants the court to declare the insurance contract null and void, rescind the policy, and declare has no duty to pay the claim.
What are your thoughts on this If you’re an insurance company? Tell us what you think about this event happening? And how would you handle it if you were a company? Make sure that you get good descriptions of what your requirements are from your insurer before you take on any kind of insurance much less cyber liability.