Cyber Insurance: BEWARE...New Application Risks

Picture the scene. The jury files in, the Judge presides and the witness takes the stand. Real life. High stakes. Someone's liberty, and/or Millions of Dollars, can be at stake. Before the witness can explain what they saw they must pledge an Oath with their hand on a Bible.

An oath punishable by their very own imprisonment:

To Tell the Truth...and here is the part most people miss...The Whole Truth and Nothing But The Truth So Help Them God.

This is the standard. That when testifying one subjects themselves to their own imprisonment. It's a safeguard to try and get to the Truth. It's a deterrent to people lying, exaggerating and "flowering" their stories.

So that same Oath is what is expected when people "attest" to things in business or otherwise submit legal documents verifying that they are in fact what they purport to be. When applying for Cyber Insurance does not submit one to imprisonment, there is a legal burden that is identical when "attesting" to the facts on the Application Form: to Tell the Whole Truth.

The whole truth meaning, one cannot "omit" important things. Things, that, had they said them, would have change the decisions and behavior of the other party.

The key: when applying for Cyber Insurance you need to engage a team (legal, IT, HR etc) to ensure you do not Omit, Misrepresent anything important (a "material" matter).

In Travelers vs ICS, filed on July 6th in Federal Court in The U.S. District Court for the Central District of Illinois, Urbana Division, Travelers is seeking a Declaratory Judgement asking the federal court to issue a ruling that ICS did not tell "the whole truth" when applying for a $1 Millions Dollar Cybersecurity Insurance Policy.

Specifically, Travelers filed suit to Rescind the policy and a declaration that the policy is essentially null and void. They want to rescind the policy they had issued to ICS because of alleged "material representations, omissions, concealment of facts" and incorrect statements made by ICS when submitting the application for insurance.

Legal experts and Industry specialists are watching this case closely. It goes to their heart of what business owners "know" and claim to know about their state of technology at the time of applying for insurance.

What Happened with ICS?

In the ICS case, the company had a ransomware attack back in 2020. As they recovered from that event, they had changed usernames and passwords for the effected systems and servers.

They had applied for insurance with Travelers and signed "Attestations" (think about the Oath described above in a very real sense. There they indicated they had multi-factor Authentication (MFA) on all their servers, systems and for third-parties accessing them. Travelers issued ICS a Cyber policy for $1Million for only $25,000 a year.

Fast forward to May 31, 2022, ICS suffered another ransomware attack to one of its servers. Several days later they turned it over to Travelers. In their investigation (yes, Insurers will investigate claims made once a Cyber event happens).

Travelers found that at the time of this May 2022 ransomware attack, ICS only was using MFA for their Firewall and did not use MFA for their other digital assets. Namely, ICS didn't have MFA for the server that was attacked with ransomware.

Travelers filed suite for declaratory judgment and claims ICS had made "material misrepresentations when applying for the policy.

We have no opinion on what ICS did or did not do, in reality, or how the ruling will result. But what we do know is this is bold move by an insurer to make a statement and the impact will be widespread no matter how the court rules. This is not legal or financial advice, it is a personal observation, so take it for what it is.

Illinois Courts have interpreted "material misrepresentation", as it pertains to insurance contracts, as?an untrue fact which affects the risk undertaken by the insurer.

What Happens in a Rescission?

A rescission is different than a claim denial or a policy termination. When an insurance company rescinds a policy, they are basically saying the insurance policy never existed. The practical effect is that once rescinded, the policyholder will be put back into the position they were before the policy was entered, meaning any premiums paid will be refunded.

A rescission declares that the policy was invalid from the start for one reason or another. Insurance companies may rescind a policy if a policyholder made a false or material misrepresentation in their initial policy application. This also includes when made in statements to the insurance provider. When an insurance company rescinds a policy, they must inform the policyholder via a rescission notice, in which they must return or offer to return the policy premiums paid.

Typically, insurance companies will claim that a policyholder lied about some material fact. Samples of this can include things like not telling the insurer an insured had a DUI in a auto policy or smoked on a life insurance policy application. Here, in the Cyber Insurance application process, it means the policyholder is stating that they have certain "controls" (safety or cybersecurity standards) in place and in use across all their technologies, when in fact they do not. The fact must be “material,” meaning important to the contract, to justify rescission.

What is a Material Misrepresentation?

Illinois Courts have interpreted "material misrepresentation", as it pertains to insurance contracts, as an untrue fact which affects the risk undertaken by the insurer. Thus, the insured's misrepresentation must be shown to have caused a substantial increase in the risk insured against, and would have, if the misrepresentations were known by the insurer, caused a rejection of the application.?American Country Ins. Co. v. Mahoney, 148 Ill.Dec. 438, 560 N.E.2d 1035 (Ill.App. 1 Dist. 1990).

Generally, a good faith mistake is not an excuse. It does not excuse a material misrepresentation on an insurance application and does not stop an insurer from rescinding a policy under Illinois law.?Bageanis v. American Bankers Life Assur. Co. of Florida, 783 F.Supp 1141.

Insurers also do not have to conduct an audit or independent verification of the information provided by the insured.?Allstate Insurance Company v. National Tea Co., 323 N.E.2d 521 (1 Dist 1975). For example, in?Bade v. Badger Mutual Ins. Co., 142 N.E.2d 218 (1966), the court allowed the insurer to rescind the policy even though the misrepresentations were discovered four years - and several renewals - after they were made.

What is a Declaratory Judgment?

A declaratory judgment is a court-issued judgment that defines and outlines the rights and obligations of each party in a contract.?Declaratory judgments have the same effect and force as final judgments and are legally binding. These judgments?are?also called a declaration or declaratory relief.?

A declaratory judgement usually involves summary judgement motions or bench trials, involving judges, rather than jury trials. A court-issued declaratory judgment doesn't usually award damages but the results of the ruling or "declaration" can be financially devastating.

What Can You Do?

One of the significant things to realize is that the Cyber Industry is still developing. This was a bold move by Travelers to make new precedent and to create rules around this technology-related aspect to insurance.

Insurance policies, applications and attestations are legal contracts. When applying there a clear questions insurers ask and they require definitive answers. You can't guess and you never should do it alone. It requires involvement by IT, Executive Ownership, HR and preferably legal counsel.

The application process is time to evaluate your technology controls, policy and systems. Engage the right stakeholders so that events like what happened to ICS won't happen to you.

Always ask! One thing to always remember is that you can always ask. In the insurance application process it's called an addendum. File one and ask the insurer and broker to explain what they mean by certain terms. Explain that you "sort of" have certain aspects covered and get things sorted up front. Don't pay premiums only to have to later one retain counsel, litigate and be left without coverage.

It's your brand. Protect it.

NOTE: Again, this is not legal or financial advice, it is a personal observation, so take it for what it is.

Set Cybersecurity Priorities-Ask for Help

Cybersecurity is not the responsibility of the CIO. It’s the responsibility of the C-Suite. Tope leadership own, founded or manage the brand. When a breach destroys the trust customers have in the organization then the brand is irreparably harmed. That accountability does not solely fall into the lap of the top tech person. Sure they may have the team to manage systems and infrastructure but it’s the executive leaders who set funding, prioities and place security top of mind into the culture.

Those who run the culture of an organization actually own the responsibility for cybersecurity.

If you don’t know what steps to take, or which priorities to set this year, then simply get help. Contact your IT advisor or get an independent holistic perspective on your state of risk from our team at All Covered-Konica Minolta, a Top 10 rated Cybersecurity Firm globally, located right here in the US.

David Mauro

Regional Manager US Central Region

All Covered, Konica Minolta Business Solutions, US

Contact David Mauro and the All Covered Team to learn more. @[email protected]

Subscribe at CYBERCRIMEJUNKIES.COM

Like/Follow on Facebook @CYBER CRIME JUNKIES

Please Share & Follow